[Snort-users] little endian bug in respond.c ?

Christopher Cramer cec at ...68...
Thu Jul 20 08:45:18 EDT 2000


Um, honestly, I hadn't tried out either version, I haven't yet played w/
the flexresp system (although I've got some great plans for dealing w/ IP
address theives w/in my department).  

I just noted that my TCP stream reassembly code went to hell on a linux
box.  I tracked it down to th_ack and th_seq being in network format
instead of native format.  I then checked to see how th_ack was used in
other parts of snort and found the respond.c code doing arithmetic w/
th_ack before converting to native.

-Chris


On Thu, 20 Jul 2000, Martin Roesch wrote:

> That's interesting.  Does it work better for you with the patch?  The old
> (non-ntohl) version used to work for me, but I gave it limited testing.  Your
> patches are correct, of course, thanks very much!
> 
>     -Marty
> 
> 
> Christopher Cramer wrote:
> > 
> > While we're all handling bugs, I believe I found one in the respond.c code
> > under little endian machines (still exists in beta5).  I found it when
> > testing my pre-beta TCP stream reassembly code under linux.
> > 
> > It seems that there is a line in respond.c that takes p->tcph->th_seq and
> > does some arithmetic with it before passing it on to SendTCPRST.
> > Unfortunately, on little endian machines, I think the arithmetic is going
> > to screw up since th_seq is in network (big endian) format.  I would
> > suggest converting to native format first, then doing the arithmetic,
> > then passing to SendTCPRST.
> > 
> > I've enclosed a patch that should fix the problem.  Of course, the problem
> > could be in my head, does anyone have the response code working under
> > Linux?
> > 
> > -Chris
> > 
> >   ------------------------------------------------------------------------------
> >                     Name: respond.patch
> >    respond.patch    Type: Plain Text (TEXT/PLAIN)
> >                 Encoding: BASE64
> 
> -- 
> Martin Roesch                      <roesch at ...2...>
> Core R&D                         http://www.hiverworld.com
> Hiverworld, Inc.       Continuous Adaptive Risk Management
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list