[Snort-users] Re: snort crash ... - Fixed

Dragos Ruiu dr at ...50...
Tue Aug 1 06:38:26 EDT 2000

This _was_ a bug in the snort defragmentaiton processor that only happened 
if you enabled it (and if you did, you did so with the warnings that it was
beta).  I fixed it a week ago...

This problem has been fixed with the latest defragmentation processor
I released on the Snort-Users list..... You should be able to find it in the
archives at sourceforge.  Let me know if you need more info than that.
These are all more good reasons to subscribe to the Snort-Users list.


P.s.  though I haven't checked I think that an even newer one than the
one I posted on the list is in the CVS tree (well, I sent it to Marty and
Fyodor).  I believe all the defragger versions after Beta14 (and including it)
do not have this problem anymore.  The only currently open issue/bug with the
defragger is some alignment/compiler wierdness on Solaris/sparc which cause
immediate crashes when enabled, which I will try to remedy tomorrow, but I
don't have access to a Solaris sparc machine to test so I'm developing
blind..... but I'm pretty sure I know what  the fix for that is (copy some junk
into temp vars to make up for the braindead sparc compilers that can't seem 
to be able to figure out how to word align their own data). We'll see with the
beta18 release I'll be sending out tomorrow....

It should run fine on all other platforms supported by snort now, though
I have only tested it personaly on BSD(open/free) and Linux.

Oh, and since this was posted to vuln-dev... even if you are running
the old one with defragging enabled... it's not exploitable - all it does
is crash randomly(based on fragments seen before it..), due to some 
memory allocation size errors. The crash detailed below is typical of
the old broken behaviour on Linux. The non-deterministic nature of 
the crashes made it a bitch to debug. :-( But that's done now :-) :-) :-)

On Tue, 25 Jul 2000, Fabio Pietrosanti wrote:
> hi look here...
> Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3
> Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across
> stack boundary.
> Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort
> Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy()
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com

More information about the Snort-users mailing list