[Snort-devel] Possible segfault on snort exit (snort-2.x)

Nilesh K. Patel Nilesh.k.Patel at Sophos.com
Mon Mar 4 14:21:08 EST 2019


Found segfault on snort exit at HttpInspectFreeConfigs function in src/preprocessors/spp_httpinspect.c file.

Patch to fix this:


-

-    for (i = 0; (i < HTTP_MAX_XFF_FIELDS) && (oldXffFields[i]); i++)

-    {

-        free(oldXffFields[i]);

+    if(oldXffFields){

+        for (i = 0; (i < HTTP_MAX_XFF_FIELDS) && (oldXffFields[i]); i++)

+        {

+            free(oldXffFields[i]);

+            oldXffFields[i] = NULL;

+        }

+        free(oldXffFields);

+        oldXffFields = NULL;

     }

-    free(oldXffFields);

-    oldXffFields = NULL;



BT of segfault:

(gdb) bt full
#0 0x00005574a7ac4c88 in HttpInspectFreeConfigs (config=0x7fcd55431380) at spp_httpinspect.c:1492
i = 0
#1 0x00005574a7ac61ea in HttpInspectReloadSwapFree (data=0x7fcd55431380) at spp_httpinspect.c:2217
No locals.
#2 0x00005574a7a31d43 in FreePreprocessorReloadData (sc=0x7fcd54000b20) at plugbase.c:1557
node = 0x7fcd55431360
preproc = 0x5574ab775860
#3 0x00005574a7a3a239 in SnortConfFree (sc=0x7fcd54000b20) at snort.c:4601
i = 10
#4 0x00005574a7a39226 in SnortCleanup (exit_val=0) at snort.c:4018
idxPreproc = 0x0
idxPlugin = 0x0
already_exiting = 1
#5 0x00005574a7a38e25 in CleanExit (exit_val=0) at snort.c:3797
tmp = <error reading variable tmp (value of type `SnortConfig' requires 69296 bytes, which is more than max-value-size)>
#6 0x00005574a7a34042 in SnortMain (argc=22, argv=0x7ffcfd417608) at snort.c:925
tmp_ptr = 0x0
intf = 0x0
daqInit = 1
#7 0x00005574a7a33da9 in main (argc=22, argv=0x7ffcfd417608) at snort.c:754


Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190304/18b3e1e0/attachment.html>


More information about the Snort-devel mailing list