[Snort-users] Segfault on Alpha 1.9.0

Alain Fauconnet alain at ...7197...
Thu Oct 17 07:16:21 EDT 2002


I have the same problem here.

Snort 1.9.0 running on a Compaq Alphaserver EV6 box with FreeBSD-Alpha 4.2,
compiled using gcc version 2.95.2 19991024.

Snort 1.8.x used to run rock solid.

I'm investigating the thing right now. It SIGSEGVs here:

Program received signal SIGSEGV, Segmentation fault.
0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443
443         while(index < end && !lookup_whitespace[(u_int)(*index)])

Stack backtrace:
#0  0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443
#1  0x120028864 in Preprocess (p=0x11ffad20) at detect.c:83
#2  0x12001e63c in ProcessPacket (user=0x0,  pkthdr=0x0,  pkt=0x0)  at
snort.c:580
#3  0x1600f4964 in pcap_read () from /usr/lib/libpcap.so.2
#4  0x1600f4438 in pcap_loop () from /usr/lib/libpcap.so.2
#5  0x120020664 in InterfaceThread (arg=0x0) at snort.c:1637
#6  0x12001e41c in SnortMain (argc=0, argv=0x0) at snort.c:514
#7  0x12001daf8 in main (argc=536882744, argv=0x0) at snort.c:95

Value of variables:

(gdb) p index
$1 = 0x120171cc1 "£3"

It looks like the argument passed to PreprocUrlDecode is wrong. It  should
be a valid (Packet *), which 0x1 can't be.

(gdb) p p
$3 = (Packet *) 0x1

Curiously, the program crashes at  line  #443,  which  is  beyond  the
reference to *p at lines 

438          index  = (char *) p->data; /* index into the data portion
of the packet */
439         end =   (char *) p->data + p->dsize;
440         psize = (u_int16_t) (p->dsize);

But  that  could  be  one  of the oddities of the Alpha processor that
signals come late.

Thinking  about  this twice, if I go up one level of stack frame (thus in
Preprocess (p=0x11ffad20) and I look at the contents of *p, I have:

(gdb) p *p
$5 = {pkth = 0x120171c68, pkt = 0x120171c8a "\b", fddihdr = 0x0, 
  fddisaps = 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, 
  trhllc = 0x0, trhmr = 0x0, sllh = 0x0, pfh = 0x0, eh = 0x120171c8a, 
  vh = 0x0, ehllc = 0x0, ehllcother = 0x0, wifih = 0x0, ah = 0x0, eplh = 0x0, 
  eaph = 0x0, eaptype = 0x0, eapolk = 0x0, iph = 0x120171c98, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x120171cac, 
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, 
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, 
  data = 0x120171cc0 "q£3", dsize = 536, alt_dsize = 0, frag_flag = 0 '\000', 
  frag_offset = 0, mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 1064, 
  dp = 80, orig_sp = 0, orig_dp = 0, caplen = 0, uri_count = 0 '\000', 
  ssnptr = 0x120977b00, state = 0x0, ip_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 1172}
(gdb) p p->data
$6 = (u_int8_t *) 0x120171cc0 "q£3"

That is quite consistent with the value of 'index' above. So it could be
that the value of 'p' is correct after all (but then why does gdb display
it as wrong?).

I'm kind of stuck here. Hope that can give hints to the developers.

I also have gadzillions of unaligned access warnings, all inside
functions CheckSrcIP and CheckDstIP. I suspect a misaligned structure.

pid 31358 (snort): unaligned access: va=0x120196032 pc=0x12002a210 ra=0x1200293e8 op=ldl
pid 31358 (snort): unaligned access: va=0x120196036 pc=0x12002a428 ra=0x12002a280 op=ldl

Greets,
_Alain_




More information about the Snort-users mailing list