[Snort-users] little endian bug in respond.c ?

Martin Roesch roesch at ...1...
Thu Jul 20 00:07:03 EDT 2000


That's interesting.  Does it work better for you with the patch?  The old
(non-ntohl) version used to work for me, but I gave it limited testing.  Your
patches are correct, of course, thanks very much!

    -Marty


Christopher Cramer wrote:
> 
> While we're all handling bugs, I believe I found one in the respond.c code
> under little endian machines (still exists in beta5).  I found it when
> testing my pre-beta TCP stream reassembly code under linux.
> 
> It seems that there is a line in respond.c that takes p->tcph->th_seq and
> does some arithmetic with it before passing it on to SendTCPRST.
> Unfortunately, on little endian machines, I think the arithmetic is going
> to screw up since th_seq is in network (big endian) format.  I would
> suggest converting to native format first, then doing the arithmetic,
> then passing to SendTCPRST.
> 
> I've enclosed a patch that should fix the problem.  Of course, the problem
> could be in my head, does anyone have the response code working under
> Linux?
> 
> -Chris
> 
>   ------------------------------------------------------------------------------
>                     Name: respond.patch
>    respond.patch    Type: Plain Text (TEXT/PLAIN)
>                 Encoding: BASE64

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list