No subject


Thu Nov 23 16:31:58 EST 2017


Henry Spencer=20

[...]

2. Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end.

[...]

Thou hast broken the second commandment for C programmers, repent
sinners!

     -Marty


william.c.gercken at ...350... wrote:
>=20
> Testing the new XML changes in 1.8-beta6 build 26 snort crashes in snml().
>=20
> My output processor config:
>=20
> output xml: alert, file=3Dalert_xml detail=3Dfull
>=20
> The segV:
>=20
> Program received signal SIGSEGV, Segmentation fault.
> 0x8063366 in snml (d=3D0x80c18d0, p=3D0xbffff670,
>     msg=3D0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
>     event=3D0xbffff480) at spo_xml.c:1545
> 1545           ds_ptr =3D (ReferenceData
> *)otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBE
> R];
>=20
> The back trace:
>=20
> #0  0x8063366 in snml (d=3D0x80c18d0, p=3D0xbffff670,
>     msg=3D0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
>     event=3D0xbffff480) at spo_xml.c:1545
> #1  0x8061a78 in LogXml (p=3D0xbffff670,
>     msg=3D0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
>     arg=3D0x80c18d0, event=3D0xbffff480) at spo_xml.c:511
> #2  0x80558a0 in CallAlertPlugins (p=3D0xbffff670,
>     message=3D0xbffff4a0 "spp_unidecode: Invalid Unicode String detected",
>     args=3D0x0, event=3D0xbffff480) at rules.c:3511
> #3  0x806fc9d in LogInvalid (p=3D0xbffff670) at spp_unidecode.c:560
> #4  0x806f957 in GetNextChar (
>     Buff=3D0x80ae936 "%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g%03%22%5B
> [-]UR2%5FUSER%5FI
> D=3DMonroej26[-]UR2%5FLOGGED%5FIN=3DLEVEL2
> [-]UR2%5FEXPIRETIME=3DMon%2C+18%2DJun%2D2001
> +20%3A17%3A33+GMT\r\n\r\n\r\n<tr><td><img alt=3D\"\" name=3D\"arrow2\" sr=
c"...,
>     NextChar=3D0xbffff5fb "%p=F6=FF=BFp=F6=FF=BF/\001", p=3D0xbffff670) at
> spp_unidecode.c:351
> #5  0x806f899 in TranslateUnicode (
>     InBuff=3D0x80ae8de "2ADS[-]UR2_USER_ID=3DMonroej26[-]UR2_LOGGED_IN=3D=
LEVEL2;
> NS_RE
> G2_LOGIN2=3DSHA1=3DA%BC\021A1=3DA%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8g=
%03%22%5B
>=20
> -]U
> R2%5FUSER%5FID=3DMonroej26[-]UR2%5FLOGGED%5FIN=3DLEVEL2[-]UR2%5FEXPIR"...,
>     InLength=3D249,
>     OutBuff=3D0x80ae8de "2ADS[-]UR2_USER_ID=3DMonroej26[-]UR2_LOGGED_IN=
=3DLEVEL2;
> NS_R
> EG2_LOGIN2=3DSHA1=3DA%BC\021A1=3DA%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8=
g%03%22%5B
>=20
> -]
> UR2%5FUSER%5FID=3DMonroej26[-]UR2%5FLOGGED%5FIN=3DLEVEL2[-]UR2%5FEXPIR"..=
.,
>     InLength=3D249,
>     OutBuff=3D0x80ae8de "2ADS[-]UR2_USER_ID=3DMonroej26[-]UR2_LOGGED_IN=
=3DLEVEL2;
> NS_R
> EG2_LOGIN2=3DSHA1=3DA%BC\021A1=3DA%BC%11%EB%25%06%2B%E4ijl%E7%9C%E6%F6%E8=
g%03%22%5B
>=20
> -]
> UR2%5FUSER%5FID=3DMonroej26[-]UR2%5FLOGGED%5FIN=3DLEVEL2[-]UR2%5FEXPIR"..=
.,
>     OutLength=3D249, p=3D0xbffff670) at spp_unidecode.c:304
> #6  0x806f761 in UPreprocUrlDecode (p=3D0xbffff670) at spp_unidecode.c:227
> #7  0x8055722 in Preprocess (p=3D0xbffff670) at rules.c:3422
> #8  0x804b223 in ProcessPacket (user=3D0x0, pkthdr=3D0xbffffb10,
>     pkt=3D0x80ae8a8 "\b") at snort.c:509
> #9  0x807202c in pcap_read_packet ()
> #10 0x8072db7 in pcap_loop ()
> #11 0x804c4e7 in InterfaceThread (arg=3D0x0) at snort.c:1385
> #12 0x804b0ef in main (argc=3D7, argv=3D0xbffffcc4) at snort.c:442
> #13 0x40154b65 in __libc_start_main (main=3D0x804aaac <main>, argc=3D7,
>     ubp_av=3D0xbffffcc4, init=3D0x8049f9c <_init>, fini=3D0x807b05c <_fin=
i>,
>     rtld_fini=3D0x4000df24 <_dl_fini>, stack_end=3D0xbffffcbc)
>     at ../sysdeps/generic/libc-start.c:111
>=20
> Misc:
>=20
> (gdb) print *ds_ptr
> $1 =3D {system =3D 0x0, id =3D 0x2 <Address 0x2 out of bounds>,
>   url =3D 0x849c8e8 "signature", next =3D 0x849c890}
> (gdb) print *event
> $2 =3D {sig_generator =3D 110, sig_id =3D 4, sig_rev =3D 1, classificatio=
n =3D 0,
>   priority =3D 0, event_reference =3D 1}
>=20
> (gdb) print (ReferenceData*)otn_tmp->ds_list[20]
> Cannot access memory at address 0x54
> (gdb) print *otn_tmp
> Cannot access memory at address 0x0
> (gdb) print otn_tmp
> $3 =3D (OptTreeNode *) 0x0
>=20
> Anyone have time to look at this?
>=20
> Thanks.
> -bill
>=20
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list