[Snort-users] Snort bug in Unix Socket plugin on x64 platform

Kiryukhin Andrey andrei_1980 at ...1975...
Thu Aug 6 08:58:08 EDT 2015

Seems some bug in snort unix socket plugin on x64 platform.

I have snort and daq-2.0.6  on xubuntu 14.04 x64

In file "spo_alert_unixsock.c"   there is function AlertUnixSock(Packet
*p, const char *msg, void *arg, Event *event) in which:

    static Alertpkt alertpkt;
    memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,


    sizeof(alertpkt.pkth) = 16 byte

if we look at p->pkth :  

    typedef struct _daq_pkthdr
        struct timeval ts;      /* Timestamp */           on x64
    platform - 16 byte

if we look at alertpkt.pkth

    typedef struct _Alertpkt
        struct pcap_pkthdr32 pkth;     whole structure 16 byte!!


    struct pcap_pkthdr32
        struct sf_timeval32 ts;   /* packet timestamp */    8 byte !!!!
        uint32_t caplen;          /* packet capture length */
        uint32_t len;             /* packet "real" length */

And so, we try to copy 16 byte  from p->pkth to alertpkt.pkth , but
first 16 byte in p->pkth is timeval, and all fields in  
alertpkt.pkth filled with one field timeval from p->pkth. 

In other words,  size of  timeval from p->pkth  !=  size of 
sf_timeval32 from alertpkt.pkth 

Some fix for this bug:

        /* instead
            memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
            do :

        alertpkt.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
        alertpkt.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
        alertpkt.pkth.caplen = p->pkth->caplen;
        alertpkt.pkth.len = p->pkth->pktlen;



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150806/0adb010f/attachment.html>

More information about the Snort-users mailing list