[Snort-users] 1.6.3 still crashes

Martin Roesch roesch at ...1...
Mon Jul 24 17:35:55 EDT 2000


Andreas Östling wrote:
> 
> Here it is,
> (gdb) print p->icmph
> $1 = (ICMPHdr *) 0x0
> (gdb)
> 
> /Andreas
> 
> > Hi Andreas,
> > Could you please go back into gdb (and the core file) and "print
> > p->icmph"?  I'd appreciate it!
> >
> > -Marty

Ah crap.  I added a check in the detection engine to make sure the transport
layer pointers weren't NULL before going into the detection engine, then
accidentally knocked them out with an errant #ifdef.  Stupid.

Here's the diff:

--- ../snort-1.6.3.new/rules.c  Sun Jul 23 23:38:25 2000
+++ rules.c     Mon Jul 24 17:15:48 2000
@@ -2545,14 +2559,16 @@
         case IPPROTO_TCP:
 #ifdef DEBUG
             printf("Detecting on TcpList\n");
+#endif
             if(p->tcph == NULL)
             {
+#ifdef DEBUG
                printf("[!] WARNING: Got NULL TCP header indetection engine,
this shouldn't happen!\n");
                printf("(You might want to send Marty an e-mail about
this...)\n");
                printf("p->iph: %p  p->tcph: %p p->frag_flag: %d\n p->caplen:
%d p->ip_hlen: %d p->ip_len: %d\n", p->iph, p->tcph, p->frag_flag,
p->pkth->caplen, p->iph->ip_hlen, ntohs(p->iph->ip_len));
+#endif
                return 0;
             }
-#endif
 
             rtn_idx = List->TcpList;
 
@@ -2561,14 +2577,16 @@
         case IPPROTO_UDP:
 #ifdef DEBUG
             printf("Detecting on UdpList\n");
+#endif
             if(p->udph == NULL)
             {
+#ifdef DEBUG
                printf("[!] WARNING: Got NULL UDP header indetection engine,
this shouldn't happen!\n");
                printf("(You might want to send Marty an e-mail about
this...)\n");
                printf("p->iph: %p  p->udph: %p p->frag_flag: %d\n p->caplen:
%d p->ip_hlen: %d p->ip_len: %d\n", p->iph, p->udph, p->frag_flag,
p->pkth->caplen, p->iph->ip_hlen, ntohs(p->iph->ip_len));
+#endif
                return 0;
             }
-#endif
 
             rtn_idx = List->UdpList;
             break;
@@ -2576,14 +2594,16 @@
         case IPPROTO_ICMP:
 #ifdef DEBUG
             printf("Detecting on IcmpList\n");
+#endif
             if(p->icmph == NULL)
             {
+#ifdef DEBUG
                printf("[!] WARNING: Got NULL ICMP header indetection engine,
this shouldn't happen!\n");
                printf("(You might want to send Marty an e-mail about
this...)\n");
                printf("p->iph: %p  p->icmph: %p p->frag_flag: %d\n p->caplen:
%d p->ip_hlen: %d p->ip_len: %d\n", p->iph, p->icmph, p->frag_flag,
p->pkth->caplen, p->iph->ip_hlen, ntohs(p->iph->ip_len));
+#endif
                return 0;
             }
-#endif
 
             rtn_idx = List->IcmpList;
             break;



   -Marty

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list