[Snort-users] Weird fragmentation plugin error

Martin Roesch roesch at ...421...
Tue Apr 24 14:58:28 EDT 2001


I think this is a memory alignment problem, I'm going to fiddle with
this code and get rid of the inlined preprocessor comparison code.  I've
seen some other crashes here before but it never seems to be for any
sort of valid reason.


    -Marty

Wozz wrote:
> 
> On Fri, Apr 20, 2001 at 03:34:21PM -0600, Wozz wrote:
> > On Thu, Apr 19, 2001 at 12:30:03AM -0400, Martin Roesch wrote:
> > >
> > > Ouch. :)  Here's a quick fix (these messages shouldn't be logged as
> > > alerts anyway, they should be log messages).  I hope you aren't
> > > replacing Snort 100% with Dragon, we've got some fun stuff coming up...
> > > :)
> > >
> >
> > I spoke too soon (or perhaps found another bug.  Same system (With your patch) is
> > now crashing in what seems to be a different area of the defrag plugin.  Here's the
> > backtrace
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x19c0a in fragcompare (i=0x62b800, j=0x62b800) at spp_defrag.c:171
> > 171         if(SADDR(i) > SADDR(j))
> > (gdb) bt
> > #0  0x19c0a in fragcompare (i=0x62b800, j=0x62b800) at spp_defrag.c:171
> > #1  0x19d9a in fragsplay (i=0x62b800, t=0x5560b0) at spp_defrag.c:244
> > #2  0x19f6d in fragdelete (i=0x62b800, t=0x5560b0) at spp_defrag.c:378
> > #3  0x1a9ba in PreprocDefrag (p=0xdfbfd5b0) at spp_defrag.c:939
> > #4  0xe824 in Preprocess (p=0xdfbfd5b0) at rules.c:3016
> > #5  0x1ff5 in ProcessPacket (user=0x0, pkthdr=0x58084,
> >     pkt=0x58096 "\002`R(\200") at snort.c:463
> > #6  0x4004f151 in pcap_read ()
> > #7  0x400605a7 in pcap_loop ()
> > #8  0x3ee9 in InterfaceThread (arg=0x0) at snort.c:1278
> > #9  0x1ee2 in main (argc=12, argv=0xdfbfdaf4) at snort.c:397
> > (gdb)
> >
> 
> Just happenned again, same problems
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x19c0a in fragcompare (i=0x3e800, j=0x3e800) at spp_defrag.c:171
> 171         if(SADDR(i) > SADDR(j))
> (gdb) bt
> #0  0x19c0a in fragcompare (i=0x3e800, j=0x3e800) at spp_defrag.c:171
> #1  0x19d9a in fragsplay (i=0x3e800, t=0x7c5e0) at spp_defrag.c:244
> #2  0x19f6d in fragdelete (i=0x3e800, t=0x7c5e0) at spp_defrag.c:378
> #3  0x1a5ac in ReassembleIP (froot=0x7c5e0) at spp_defrag.c:737
> #4  0x1a8e4 in PreprocDefrag (p=0xdfbfd59c) at spp_defrag.c:910
> #5  0xe824 in Preprocess (p=0xdfbfd59c) at rules.c:3016
> #6  0x1ff5 in ProcessPacket (user=0x0, pkthdr=0x53e0c,
>     pkt=0x53e1e "\002`R(\200") at snort.c:463
> #7  0x4004f151 in pcap_read ()
> #8  0x400605a7 in pcap_loop ()
> #9  0x3ee9 in InterfaceThread (arg=0x0) at snort.c:1278
> #10 0x1ee2 in main (argc=12, argv=0xdfbfdae0) at snort.c:397
> (gdb)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list