[Snort-devel] Possible segfault on snort exit (snort-2.x)

Ashwin Shimoga Nanjunda Rao (ashimoga) ashimoga at cisco.com
Mon Mar 4 22:10:48 EST 2019


Hi Nilesh,
  Thanks for reporting this issue. we will include this in our next OS release.

Thanks
Ashwin

From: Snort-devel <snort-devel-bounces at lists.snort.org> On Behalf Of Nilesh K. Patel via Snort-devel
Sent: Tuesday, March 5, 2019 12:51 AM
To: snort-devel at lists.snort.org
Subject: [Snort-devel] Possible segfault on snort exit (snort-2.x)

Found segfault on snort exit at HttpInspectFreeConfigs function in src/preprocessors/spp_httpinspect.c file.

Patch to fix this:


-

-    for (i = 0; (i < HTTP_MAX_XFF_FIELDS) && (oldXffFields[i]); i++)

-    {

-        free(oldXffFields[i]);

+    if(oldXffFields){

+        for (i = 0; (i < HTTP_MAX_XFF_FIELDS) && (oldXffFields[i]); i++)

+        {

+            free(oldXffFields[i]);

+            oldXffFields[i] = NULL;

+        }

+        free(oldXffFields);

+        oldXffFields = NULL;

     }

-    free(oldXffFields);

-    oldXffFields = NULL;



BT of segfault:

(gdb) bt full
#0 0x00005574a7ac4c88 in HttpInspectFreeConfigs (config=0x7fcd55431380) at spp_httpinspect.c:1492
i = 0
#1 0x00005574a7ac61ea in HttpInspectReloadSwapFree (data=0x7fcd55431380) at spp_httpinspect.c:2217
No locals.
#2 0x00005574a7a31d43 in FreePreprocessorReloadData (sc=0x7fcd54000b20) at plugbase.c:1557
node = 0x7fcd55431360
preproc = 0x5574ab775860
#3 0x00005574a7a3a239 in SnortConfFree (sc=0x7fcd54000b20) at snort.c:4601
i = 10
#4 0x00005574a7a39226 in SnortCleanup (exit_val=0) at snort.c:4018
idxPreproc = 0x0
idxPlugin = 0x0
already_exiting = 1
#5 0x00005574a7a38e25 in CleanExit (exit_val=0) at snort.c:3797
tmp = <error reading variable tmp (value of type `SnortConfig' requires 69296 bytes, which is more than max-value-size)>
#6 0x00005574a7a34042 in SnortMain (argc=22, argv=0x7ffcfd417608) at snort.c:925
tmp_ptr = 0x0
intf = 0x0
daqInit = 1
#7 0x00005574a7a33da9 in main (argc=22, argv=0x7ffcfd417608) at snort.c:754


Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190305/d2165731/attachment-0001.html>


More information about the Snort-devel mailing list