[Snort-users] snort 1.8.4b1 dumping core

Kris Kennaway kris at ...1402...
Sun Feb 3 22:20:02 EST 2002


On Mon, Feb 04, 2002 at 12:27:21AM -0500, Martin Roesch wrote:
> Hi Kris,
>      Does it core right away or does it take a while?

It takes a while..i.e. it seems to be certain traffic which causes it.

> Can you try enabling DEBUG mode (see the BUGS file) and let it run through
> that?  Run snort like this:
> 
> Snort [optons] > debug.file

I can try that.

> You can also try running Snort from inside gdb and see if you can get better
> information on the backtrace from that, something really weird is happening
> here.

I rebuilt libc and libpcap with -ggdb and linked snort static; here's
the complete backtrace.

(gdb) bt
#0  pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address 0xc out of bounds>)
    at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
#1  0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0, user=0x0)
    at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
#2  0x804a181 in InterfaceThread (arg=0x0) at snort.c:1675
#3  0x80488a1 in main (argc=10, argv=0xbfbff7b8) at snort.c:478

(gdb) list /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
116              */
117     #define bhp ((struct bpf_hdr *)bp)
118             ep = bp + cc;
119             while (bp < ep) {
120                     register int caplen, hdrlen;
121                     caplen = bhp->bh_caplen;
122                     hdrlen = bhp->bh_hdrlen;
123                     /*
124                      * XXX A bpf_hdr matches a pcap_pkthdr.
125                      */

(gdb) print bp
$1 = (u_char *) 0x169c084 <Address 0x169c084 out of bounds>

(gdb) list /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
74                              /*
75                               * XXX keep reading until we get something
76                               * (or an error occurs)
77                               */
78                              do {
79                                      n = pcap_read(p, cnt, callback, user);
80                              } while (n == 0);
81                      }
82                      if (n <= 0)
83                              return (n);

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020203/e254f9cd/attachment.sig>


More information about the Snort-users mailing list