[Snort-users] 2.9.2-rc segfaults

Russ Combs rcombs at ...1935...
Wed Dec 7 11:01:22 EST 2011


Jim - thanks for reporting this.

Would like to get some additional info to help get you a fix ASAP.

Is this easily reproducible for you?  If so, can you rebuild with
--enable-debug and send the backtrace(s) from that?

What type of box are you running on?

Thanks
Russ

On Wed, Dec 7, 2011 at 10:45 AM, Jim Hranicky <jfh at ...5250...> wrote:

> Hey SF folks, I'm getting segfaults with 2.9.2-rc . I was using
> the pfring daq, and I thought that might be the problem, though
> now I'm getting segfaults with just standard snort & the pcap
> daq. Fortunately, they're segfaulting in different places :-/ .
>
> Non-pf snort/pcap daq trace:
>
>    Core was generated by `/opt/local/bin/snort -D -i eth5
> --daq-dir=/opt/local/lib/daq --daq pcap --daq-v'.
>    Program terminated with signal 11, Segmentation fault.
>    #0  0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe
> <Address 0x7ff69b0d6bfe out of bounds>,
>        inbuf_size=1365,
>        outbuf=0x7fffa2a9ba00
> "c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
> outbuf_size=65535, output_bytes=0x7fffa2a9b9fc,
>        trim_spaces=1, folded=0x0) at util_unfold.c:55
>    55              if(((*cursor == ' ') || (*cursor == '\t')))
>    (gdb) where
>    #0  0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe
> <Address 0x7ff69b0d6bfe out of bounds>,
>        inbuf_size=1365,
>        outbuf=0x7fffa2a9ba00
> "c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
> outbuf_size=65535, output_bytes=0x7fffa2a9b9fc,
>        trim_spaces=1, folded=0x0) at util_unfold.c:55
>    #1  0x00000000004cc16b in extract_http_transfer_encoding
> (Session=0x12bdac0, hsd=0x331dec0,
>        p=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>,
>        start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>,
>        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
> header_ptr=0x7fffa2aabb40, iInspectMode=2)
>        at hi_server.c:570
>    #2  0x00000000004cc514 in extractHttpRespHeaderFieldValues
> (ServerConf=0x2003eb0,
>        p=0x7ff69b0d6bfd <Address 0x7ff69b0d6bfd out of bounds>,
>        offset=0x7ff69b0d6bec <Address 0x7ff69b0d6bec out of bounds>,
>        start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>,
>        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
> header_ptr=0x7fffa2aabb40,
>        header_field_ptr=0x7fffa2aabac0, parse_cont_encoding=0,
> hsd=0x331dec0, Session=0x12bdac0) at hi_server.c:656
>    #3  0x00000000004cc6ce in hi_server_extract_header (Session=0x12bdac0,
> ServerConf=0x2003eb0,
>        header_ptr=0x7fffa2aabb40, start=0x7ff69b0d66ab <Address
> 0x7ff69b0d66ab out of bounds>,
>        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
> parse_cont_encoding=0, hsd=0x331dec0)
>        at hi_server.c:720
>    #4  0x00000000004ce051 in HttpResponseInspection (Session=0x12bdac0,
> p=0x7fffa2aac050,
>        data=0x7ff69b0d669c <Address 0x7ff69b0d669c out of bounds>,
> dsize=1380, sd=0x331dec0) at hi_server.c:1476
>    #5  0x00000000004ce729 in ServerInspection (Session=0x12bdac0,
> p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1690
>    #6  0x00000000004ce79b in hi_server_inspection (S=0x12bdac0,
> p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1721
>    #7  0x00000000004c4cf0 in hi_mi_mode_inspection (Session=0x12bdac0,
> iInspectMode=2, p=0x7fffa2aac050, hsd=0x331dec0)
>        at hi_mi.c:98
>    #8  0x00000000004a6898 in SnortHttpInspect (GlobalConf=0x1fe0940,
> p=0x7fffa2aac050) at snort_httpinspect.c:3507
>    #9  0x000000000049f05e in HttpInspect (p=0x7fffa2aac050, context=0x0)
> at spp_httpinspect.c:212
>    #10 0x0000000000444983 in Preprocess (p=0x7fffa2aac050) at detect.c:172
>    #11 0x0000000000437066 in ProcessPacket (user=0x0,
> pkthdr=0x7fffa2aacca0,
>        pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>, ft=0x0)
> at snort.c:1576
>    #12 0x0000000000436cc8 in PacketCallback (user=0x0,
> pkthdr=0x7fffa2aacca0,
>        pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>) at
> snort.c:1486
>    #13 0x0000000000513f55 in pcap_process_loop ()
>    #14 0x00007ff6a045d7d5 in pcap_read_linux_mmap () from
> /opt/local/lib/libpcap.so.1
>    #15 0x000000000051417f in pcap_daq_acquire ()
>    #16 0x000000000045bfac in DAQ_Acquire (max=-1, callback=0x436af3
> <PacketCallback>, user=0x0) at sfdaq.c:514
>    #17 0x000000000043980b in PacketLoop () at snort.c:2899
>    #18 0x0000000000435d2c in SnortMain (argc=17, argv=0x7fffa2aacf58) at
> snort.c:764
>    #19 0x0000000000435c06 in main (argc=17, argv=0x7fffa2aacf58) at
> snort.c:687
>
> Here's a traceback on the pfring daq:
>
>  #0  0x00000000004da6ca in TcpSessionCleanup (lwssn=0x2ae0ab0) at
> snort_stream5_tcp.c:4644
>  #1  0x00000000004ec136 in DeleteLWSession (sessionCache=0x16c77f0,
> ssn=0x2ae0ab0,
>      delete_reason=0x55b4d2 "memcap/stale") at snort_stream5_session.c:651
>  #2  0x00000000004ec670 in PruneLWSessionCache (sessionCache=0x16c77f0,
> thetime=0, save_me=0x0, memCheck=0)
>      at snort_stream5_session.c:868
>  #3  0x00000000004ec892 in NewLWSession (sessionCache=0x16c77f0,
> p=0x7fffffffd400, key=0x7fffffffd290,
>      policy=0x7ffff2e65010) at snort_stream5_session.c:931
>  #4  0x00000000004dadc2 in Stream5ProcessTcp (p=0x7fffffffd400, lwssn=0x0,
> s5TcpPolicy=0x7ffff2e65010,
>      skey=0x7fffffffd290) at snort_stream5_tcp.c:5070
>  #5  0x00000000004b4906 in Stream5Process (p=0x7fffffffd400, context=0x0)
> at spp_stream5.c:1411
>  #6  0x0000000000444993 in Preprocess (p=0x7fffffffd400) at detect.c:172
>  #7  0x0000000000437076 in ProcessPacket (user=0x0, pkthdr=0x7fffffffe070,
> pkt=0x7ffff183675b "", ft=0x0)
>      at snort.c:1576
>  #8  0x0000000000436cd8 in PacketCallback (user=0x0,
> pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "") at snort.c:1486
>  #9  0x00007ffff211c656 in pfring_daq_acquire (handle=0x286d360, cnt=-1,
> callback=0x436b03 <PacketCallback>,
>      user=0x0) at daq_pfring.c:407
>  #10 0x000000000045bfbc in DAQ_Acquire (max=-1, callback=0x436b03
> <PacketCallback>, user=0x0) at sfdaq.c:514
>  #11 0x000000000043981b in PacketLoop () at snort.c:2899
>  #12 0x0000000000435d3c in SnortMain (argc=16, argv=0x7fffffffe398) at
> snort.c:764
>  #13 0x0000000000435c16 in main (argc=16, argv=0x7fffffffe398) at
>  snort.c:687
>
> Here's a traceback on the pcap (linked against pfring) DAQ:
>
>  Core was generated by `/opt/pf/bin/snort -D -i eth5
> --daq-dir=/opt/pf/lib/daq
>  --daq pcap --daq-var clu'.
>
>  #0  0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at
> snort_stream5_tcp.c:4644
>  4644                                p.tcph->th_sport, p.tcph->th_dport,
>  (gdb) where
>  #0  0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at
> snort_stream5_tcp.c:4644
>  #1  0x00000000004ec9a6 in DeleteLWSession (sessionCache=0x200ae80,
> ssn=0x341a9f0,
>      delete_reason=0x5763f2 "memcap/stale") at snort_stream5_session.c:651
>  #2  0x00000000004ecee0 in PruneLWSessionCache (sessionCache=0x200ae80,
> thetime=0, save_me=0x0, memCheck=0)
>      at snort_stream5_session.c:868
>  #3  0x00000000004ed102 in NewLWSession (sessionCache=0x200ae80,
> p=0x7fffc43cea30, key=0x7fffc43ce8c0,
>      policy=0x7f14b62b1010) at snort_stream5_session.c:931
>  #4  0x00000000004db632 in Stream5ProcessTcp (p=0x7fffc43cea30, lwssn=0x0,
> s5TcpPolicy=0x7f14b62b1010,
>      skey=0x7fffc43ce8c0) at snort_stream5_tcp.c:5070
>  #5  0x00000000004b5176 in Stream5Process (p=0x7fffc43cea30, context=0x0)
> at spp_stream5.c:1411
>  #6  0x0000000000445203 in Preprocess (p=0x7fffc43cea30) at detect.c:172
>  #7  0x00000000004378e6 in ProcessPacket (user=0x0, pkthdr=0x7fffc43cf680,
>      pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>, ft=0x0) at
> snort.c:1576
>  #8  0x0000000000437548 in PacketCallback (user=0x0, pkthdr=0x7fffc43cf680,
>      pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>) at
> snort.c:1486
>  #9  0x00000000005147b5 in pcap_process_loop (user=<value optimized out>,
> pkth=<value optimized out>,
>      data=<value optimized out>) at daq_pcap.c:357
>  #10 0x00000000005177ba in pcap_read_linux ()
>  #11 0x00000000005149bd in pcap_daq_acquire (handle=0x2c770b0, cnt=-1,
> callback=<value optimized out>,
>      user=<value optimized out>) at daq_pcap.c:375
>  #12 0x000000000045c82c in DAQ_Acquire (max=-1, callback=0x437373
> <PacketCallback>, user=0x0) at sfdaq.c:514
>  #13 0x000000000043a08b in PacketLoop () at snort.c:2899
>  #14 0x00000000004365ac in SnortMain (argc=17, argv=0x7fffc43cf9d8) at
> snort.c:764
>  #15 0x0000000000436486 in main (argc=17, argv=0x7fffc43cf9d8) at
> snort.c:687
>
>  (gdb) p p.tcph
>  $1 = (const TCPHdr *) 0x0
>
> I have cores and executables if anyone's interested.
>
> --
> Jim Hranicky
> IT Security Engineer
> Office of Information Security and Compliance
> University of Florida
>
>
> ------------------------------------------------------------------------------
> Cloud Services Checklist: Pricing and Packaging Optimization
> This white paper is intended to serve as a reference, checklist and point
> of
> discussion for anyone considering optimizing the pricing and packaging
> model
> of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111207/d211fc54/attachment.html>


More information about the Snort-users mailing list