No subject


Thu Nov 23 16:31:58 EST 2017


Program terminated with signal 10, Bus Error.
#0  0x1c92c in DecodeTCP (pkt=3D0x3232d2a "=A7\f", len=3D1180, p=3D0xefffed=
c8)
    at decode.c:1858
1858            ph.sip =3D (u_int32_t)(p->iph->ip_src.s_addr);
(gdb) where
#0  0x1c92c in DecodeTCP (pkt=3D0x3232d2a "=A7\f", len=3D1180, p=3D0xefffed=
c8)
    at decode.c:1858
#1  0x1c200 in DecodeIP (pkt=3D0x3232d16 "E", len=3D1200, p=3D0xefffedc8)
    at decode.c:1605
#2  0x19d5c in DecodeEthPkt (p=3D0xefffedc8, pkthdr=3D0x3233928,=20
    pkt=3D0x3232d08 "") at decode.c:110
#3  0x446ac in TraverseFunc (NodePtr=3D0x3233910, build_data=3D0xeffff358)
    at spp_stream4.c:562
#4  0x2c914 in ubi_btTraverse (RootPtr=3D0x3212aec,=20
    EachNode=3D0x4446c <TraverseFunc>, UserData=3D0xeffff358)
    at ubi_BinTree.c:1019
#5  0x47d64 in BuildPacket (s=3D0x3212ac4, stream_size=3D7898,=20
    p=3D0xeffff5c8, direction=3D679520) at spp_stream4.c:3392
#6  0x47970 in FlushStream (s=3D0x3212ac4, p=3D0xeffff5c8,=20
    direction=3D679520) at spp_stream4.c:3233
#7  0x481dc in TcpAction (ssn=3D0x3212a78, p=3D0xeffff5c8, action=3D16,=20
    direction=3D0, pkt_seq=3D3784491527, pkt_ack=3D2612277217)
    at spp_stream4.c:3660
#8  0x45894 in ReassembleStream4 (p=3D0xeffff5c8) at spp_stream4.c:1381
#9  0x2ee6c in Preprocess (p=3D0xeffff5c8) at detect.c:83
#10 0x2960c in ProcessPacket (user=3D0x0, pkthdr=3D0xd6400,=20
    pkt=3D0x15d046 "") at snort.c:580
#11 0x4b844 in pcap_read ()
#12 0x4c938 in pcap_loop ()
#13 0x2ada0 in InterfaceThread (arg=3D0xd6670) at snort.c:1637
#14 0x29490 in SnortMain (argc=3D878192, argv=3D0xeffffd64) at snort.c:514
#15 0x28da0 in main (argc=3D14, argv=3D0xeffffd64) at snort.c:95


The problem is an alignment one.  Note that 'pkt' is 32 bit aligned in
args for call to DecodeEthPkt, but when it calls DecodeIP, 'pkt' is no-long=
er
32 bit aligned (14 byte Ethernet header stripped from front).

After some digging, I found that this particular copy of the packet was
malloc'ed  in  StoreStreamPkt()  at  spp_stream4.c:2963
Note: malloc returns space suitably aligned for the architecture.


So I changed the allocation to grab 2 extra bytes (actually 'SPARC_TWIDDLE')
and store a value 2 bytes higher in memory.  I obviously also needed to=20
therefore
change all the calls that later 'free()' this space and the related space=20
tracking
with 'stream4_memory_usage'.  This was done by changing all the calls to fr=
ee()
with the argument  'spd->pkt', 'foo->pkt', and 'tmp->pkt' in the file.=20=20
Hopefully
that was correct.


Here is the context diff of my changes, they seem to be having the desired
effect here:


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: RCS/spp_stream4.c,v
retrieving revision 1.1
diff -c -r1.1 spp_stream4.c
*** spp_stream4.c       2002/10/17 05:00:39     1.1
--- spp_stream4.c       2002/10/17 05:28:12
***************
*** 404,411 ****
=20=20
      tmp =3D (StreamPacketData *)NodePtr;
=20=20
!     stream4_memory_usage -=3D tmp->pkt_size;
!     free(tmp->pkt);
=20=20
      stream4_memory_usage -=3D sizeof(StreamPacketData);
      free(tmp);
--- 404,411 ----
=20=20
      tmp =3D (StreamPacketData *)NodePtr;
=20=20
!     stream4_memory_usage -=3D tmp->pkt_size + SPARC_TWIDDLE;
!     free(tmp->pkt - SPARC_TWIDDLE);
=20=20
      stream4_memory_usage -=3D sizeof(StreamPacketData);
      free(tmp);
***************
*** 600,607 ****
              DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "chucking used=20
segment\n"););
              foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr,=20
                                                       (ubi_btNodePtr) savs=
pd);
!             stream4_memory_usage -=3D foo->pkt_size;
!             free(foo->pkt);
              stream4_memory_usage -=3D sizeof(StreamPacketData);
              free(foo);
          }
--- 600,607 ----
              DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "chucking used=20
segment\n"););
              foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr,=20
                                                       (ubi_btNodePtr) savs=
pd);
!             stream4_memory_usage -=3D foo->pkt_size + SPARC_TWIDDLE;
!             free(foo->pkt - SPARC_TWIDDLE);
              stream4_memory_usage -=3D sizeof(StreamPacketData);
              free(foo);
          }
***************
*** 2960,2967 ****
          DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[A] Allocating %u bytes fo=
r=20
packet\n",
                                  p->pkth->caplen););
=20=20
!         spd->pkt =3D (u_int8_t *) SafeAlloc(p->pkth->caplen, p->pkth->
ts.tv_sec,
!                                           ssn);
          spd->pkt_size =3D p->pkth->caplen;
=20=20
          /* copy the packet */
--- 2960,2967 ----
          DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[A] Allocating %u bytes fo=
r=20
packet\n",
                                  p->pkth->caplen););
=20=20
!         spd->pkt =3D (u_int8_t *) SafeAlloc(p->pkth->caplen + SPARC_TWIDD=
LE,=20
p->pkth->ts.tv_sec,
!                                           ssn) + SPARC_TWIDDLE;
          spd->pkt_size =3D p->pkth->caplen;
=20=20
          /* copy the packet */
***************
*** 3021,3028 ****
                      DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "TCP Checksums =
not=20
equal\n"););
=20=20
=20=20=20=20=20=20
!                     stream4_memory_usage -=3D spd->pkt_size;
!                     free(spd->pkt);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
--- 3021,3028 ----
                      DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "TCP Checksums =
not=20
equal\n"););
=20=20
=20=20=20=20=20=20
!                     stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDD=
LE;
!                     free(spd->pkt - SPARC_TWIDDLE);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
***************
*** 3049,3056 ****
                      How easy is it to fool IDSes by retransmissions
                      with the same checksum but different IPs...
                      */
!                     stream4_memory_usage -=3D spd->pkt_size;
!                     free(spd->pkt);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
--- 3049,3056 ----
                      How easy is it to fool IDSes by retransmissions
                      with the same checksum but different IPs...
                      */
!                     stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDD=
LE;
!                     free(spd->pkt - SPARC_TWIDDLE);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
***************
*** 3061,3068 ****
              else
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size;
!                 free(spd->pkt);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
--- 3061,3068 ----
              else
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDDLE;
!                 free(spd->pkt - SPARC_TWIDDLE);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
***************
*** 3087,3094 ****
              if(s->last_ack > pkt_seq + p->dsize)
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size;
!                 free(spd->pkt);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
--- 3087,3094 ----
              if(s->last_ack > pkt_seq + p->dsize)
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDDLE;
!                 free(spd->pkt - SPARC_TWIDDLE);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
***************
*** 3112,3119 ****
                  foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr,=20
                                                           (ubi_btNodePtr)=
=20
returned);
=20=20
!                 stream4_memory_usage -=3D foo->pkt_size;
!                 free(foo->pkt);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(foo);
--- 3112,3119 ----
                  foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr,=20
                                                           (ubi_btNodePtr)=
=20
returned);
=20=20
!                 stream4_memory_usage -=3D foo->pkt_size + SPARC_TWIDDLE;
!                 free(foo->pkt - SPARC_TWIDDLE);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(foo);
***************
*** 3125,3132 ****
              if(s->last_ack > pkt_seq + p->dsize)
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size;
!                 free(spd->pkt);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
--- 3125,3132 ----
              if(s->last_ack > pkt_seq + p->dsize)
              {
                  /* screw it, we already ack'd this data */
!                 stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDDLE;
!                 free(spd->pkt - SPARC_TWIDDLE);
=20=20
                  stream4_memory_usage -=3D sizeof(StreamPacketData);
                  free(spd);
***************
*** 3165,3172 ****
                      DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
                                              "Generating packets=20
retranmissions faster than we should\n"););
=20=20=20=20=20=20=20=20=20=20
!                     stream4_memory_usage -=3D spd->pkt_size;
!                     free(spd->pkt);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
--- 3165,3172 ----
                      DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
                                              "Generating packets=20
retranmissions faster than we should\n"););
=20=20=20=20=20=20=20=20=20=20
!                     stream4_memory_usage -=3D spd->pkt_size + SPARC_TWIDD=
LE;
!                     free(spd->pkt - SPARC_TWIDDLE);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(spd);
***************
*** 3190,3197 ****
                      foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr=
,=20
                                                               (ubi_btNodeP=
tr)=20
returned);
=20=20=20=20=20=20
!                     stream4_memory_usage -=3D foo->pkt_size;
!                     free(foo->pkt);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(foo);
--- 3190,3197 ----
                      foo =3D (StreamPacketData *) ubi_sptRemove(s->dataPtr=
,=20
                                                               (ubi_btNodeP=
tr)=20
returned);
=20=20=20=20=20=20
!                     stream4_memory_usage -=3D foo->pkt_size + SPARC_TWIDD=
LE;
!                     free(foo->pkt - SPARC_TWIDDLE);
=20=20=20=20=20=20
                      stream4_memory_usage -=3D sizeof(StreamPacketData);
                      free(foo);






More information about the Snort-devel mailing list