[Snort-users] little endian bug in respond.c ?

Christopher Cramer cec at ...68...
Wed Jul 19 11:01:32 EDT 2000


While we're all handling bugs, I believe I found one in the respond.c code
under little endian machines (still exists in beta5).  I found it when
testing my pre-beta TCP stream reassembly code under linux.

It seems that there is a line in respond.c that takes p->tcph->th_seq and
does some arithmetic with it before passing it on to SendTCPRST.  
Unfortunately, on little endian machines, I think the arithmetic is going
to screw up since th_seq is in network (big endian) format.  I would
suggest converting to native format first, then doing the arithmetic,
then passing to SendTCPRST.

I've enclosed a patch that should fix the problem.  Of course, the problem
could be in my head, does anyone have the response code working under
Linux?

-Chris


-------------- next part --------------
diff -aur snort-1.6.3-beta5/respond.c snort-1.6.3-beta5-new/respond.c
--- snort-1.6.3-beta5/respond.c	Fri Jun 16 01:29:32 2000
+++ snort-1.6.3-beta5-new/respond.c	Wed Jul 19 10:46:55 2000
@@ -37,7 +37,7 @@
 extern OptTreeNode *otn_tmp; /* global ptr to current rule data */
 
 int SendICMP_UNREACH(int, u_long, u_long, Packet *);
-int SendTCPRST(u_long, u_long, u_short, u_short, int, int);
+int SendTCPRST(u_long, u_long, u_short, u_short, u_long, u_long);
 
 
 /****************************************************************************
@@ -68,12 +68,12 @@
                     if (otn_tmp->response_flag & RESP_RST_SND)
                         SendTCPRST(p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr,
                                    p->tcph->th_dport, p->tcph->th_sport,
-                                   p->tcph->th_ack, p->tcph->th_seq + p->dsize + i);
+                                   ntohl(p->tcph->th_ack), ntohl(p->tcph->th_seq) + p->dsize + i);
 
                     if (otn_tmp->response_flag & RESP_RST_RCV)
                         SendTCPRST(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr,
                                    p->tcph->th_sport, p->tcph->th_dport,
-                                   p->tcph->th_seq, p->tcph->th_ack + p->dsize + i);
+                                   ntohl(p->tcph->th_seq), ntohl(p->tcph->th_ack) + p->dsize + i);
                 }
             }
         }
@@ -139,7 +139,7 @@
 }
 
 
-int SendTCPRST(u_long saddr, u_long daddr, u_short sport, u_short dport, int seq, int ack)
+int SendTCPRST(u_long saddr, u_long daddr, u_short sport, u_short dport, u_long seq, u_long ack)
 {
     u_char *buf;
     int sz = IP_H + TCP_H;
@@ -158,7 +158,7 @@
                     0 /* fragmentation */, 64 /* TTL */, IPPROTO_TCP,
                     saddr, daddr, NULL, 0, buf);
 
-    libnet_build_tcp(ntohs(sport), ntohs(dport), ntohl(seq), ntohl(ack),
+    libnet_build_tcp(ntohs(sport), ntohs(dport), seq, ack,
                      TH_RST, 1024, 0, NULL, 0, buf + IP_H);
 
 


More information about the Snort-users mailing list