[Snort-users] snort 1.8.4b1 dumping core

Fyodor fygrave at ...121...
Mon Feb 4 08:38:09 EST 2002


> (gdb) bt
> #0  pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address 0xc out of bounds>)
>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
> #1  0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0, user=0x0)
>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79

That's very interesting. Pcap_t struct ptr which we pass to pcap_loop is
a meaningful pointer but pcap_read already has it set to NULL. Very
likely something messy has happened. (also user ptr got overwritten,
that normally shouldn't happen). 
Strange that it didn't coredump somewhere at the beginning of
pcap_read():

pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
    int cc;
    int n = 0;
    register u_char *bp, *ep;

 again:
    cc = p->cc;
    if (p->cc == 0) {
        cc = read(p->fd, (char *)p->buffer, p->bufsize);
        if (cc < 0) {
            ...

i.g. it assumes p to be a valid ptr.

> 121                     caplen = bhp->bh_caplen;

probably fails here:
....
        bp = p->buffer;
    } else
        bp = p->bp;
    ....
#define bhp ((struct bpf_hdr *)bp)
        ...
        caplen = bhp->bh_caplen;

either p->buffer or p->bp is not valid ptr here.
> 
> (gdb) print bp
> $1 = (u_char *) 0x169c084 <Address 0x169c084 out of bounds>
> 


...




More information about the Snort-users mailing list