[Snort-users] snort 1.8.4b1 dumping core

Fyodor fygrave at ...121...
Sat Feb 2 23:37:02 EST 2002


On Sat, Feb 02, 2002 at 11:04:55PM -0800, Kris Kennaway wrote:
> I've been corresponding with Fyodor a bit about this: I sent him the
> following gdb backtrace.
> 
> (gdb) bt
> #0  0x280bab5f in ?? ()
> #1  0x280ba7bb in ?? ()
> #2  0x804c121 in InterfaceThread (arg=0x80bb000) at snort.c:1675
> #3  0x804a841 in main (argc=50652, argv=0xfe8f7d04) at snort.c:478

[snip] [snip]

> 1675        if(pcap_loop(pds[myint], pv.pkt_cnt, (pcap_handler) ProcessPacket, NULL) < 0)

I'd recompile libpcap with -ggdb and give it a try, sounds like we are
coredumping somewhere in libpcap. I am not on freeBSD box right now, and
linux doesn't fail the same way :-/
(could be that pcap fails due to some params which we supply in
pcap_*read() somewhere..)

> 1676        {
> 1677            if(pv.daemon_flag)
> 1678                syslog(LOG_CONS | LOG_DAEMON, "pcap_loop: %s", pcap_geterr(pd));
> 1679            else
> 
> (gdb) print myint
> $3 = 671896152

This is a stack-allocated variable, probably has been overwritten by
something ;-) there's now it could be that big otherwise ;-p

InterfaceThread() {
 static intnum = 0;
 int myint;

 myint = intnum;
 intnum++;

...





More information about the Snort-users mailing list