[Snort-users] Snort 2.9.7.5. bug in Unix Socket plugin on x64 platform

Kiryukhin Andrey andrei_1980 at ...1975...
Thu Aug 6 08:58:08 EDT 2015


Hello.
Seems some bug in snort unix socket plugin on x64 platform.

I have snort 2.9.7.5 and daq-2.0.6  on xubuntu 14.04 x64

In file "spo_alert_unixsock.c"   there is function AlertUnixSock(Packet
*p, const char *msg, void *arg, Event *event) in which:

    static Alertpkt alertpkt;
    .............
    memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
    sizeof(alertpkt.pkth));
    .............


where

    sizeof(alertpkt.pkth) = 16 byte


if we look at p->pkth :  

    typedef struct _daq_pkthdr
    {
        struct timeval ts;      /* Timestamp */           on x64
    platform - 16 byte
        .......


if we look at alertpkt.pkth

    typedef struct _Alertpkt
    {
        ..........
        struct pcap_pkthdr32 pkth;     whole structure 16 byte!!
        ........    


where

    struct pcap_pkthdr32
    {
        struct sf_timeval32 ts;   /* packet timestamp */    8 byte !!!!
        uint32_t caplen;          /* packet capture length */
        uint32_t len;             /* packet "real" length */
    };



And so, we try to copy 16 byte  from p->pkth to alertpkt.pkth , but
first 16 byte in p->pkth is timeval, and all fields in  
alertpkt.pkth filled with one field timeval from p->pkth. 

In other words,  size of  timeval from p->pkth  !=  size of 
sf_timeval32 from alertpkt.pkth 

Some fix for this bug:

        /* instead
   
            memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
sizeof(alertpkt.pkth));
       
            do :
        */

        alertpkt.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
        alertpkt.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
        alertpkt.pkth.caplen = p->pkth->caplen;
        alertpkt.pkth.len = p->pkth->pktlen;

       




  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150806/0adb010f/attachment.html>


More information about the Snort-users mailing list