[Snort-devel] Integer overflow in perfmonitor preprocessor

Mike Cox mike.cox52 at ...2499...
Tue Aug 11 09:19:49 EDT 2015


Also related to the perfmonitor -- the manual says, for 'max_file_size',
"The minimum is 4096 bytes and the maximum is 2147483648 bytes" but there
is an off-by-one error because that maximum is not accepted by Snort:

Perfmonitor:  Invalid argument to "max_file_size".  The value must be
an integer between 4096 and 2147483647.

-Mike Cox



On Wed, Aug 5, 2015 at 12:07 PM, Hui cao <huica at ...3461...> wrote:

> Hi Mike,
>
> Thanks for reporting this issue. We will fix this issue the future release.
>
> Best,
> Hui.
>
>
> On 08/05/2015 11:48 AM, Mike Cox wrote:
>
> Just an output bug.  Snort 2.9.7.5 is affected and probably previous
> versions. In src/preprocessors/spp_perfmonitor.c there is this code:
>
>                 ParseError("Perfmonitor:  Invalid argument to \"%s\".  The
> "
>                         "value must be an integer between 0 and %d.",
>                         PERFMON_ARG__PKT_COUNT, UINT32_MAX)
>
> But the printf '%d' is signed and UINT32_MAX is unsigned so you get output
> like this:
>
> Perfmonitor:  Invalid argument to "pktcnt".  The value must be an integer
> between 0 and -1.
>
> Change '%d' to '%u' to fix.  Then you get proper output like:
>
> Perfmonitor:  Invalid argument to "pktcnt".  The value must be an integer
> between 0 and 4294967295.
>
> -Mike Cox
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150811/943fc93b/attachment.html>


More information about the Snort-devel mailing list