[Snort-users] Snort 2.9.7.5. bug in Unix Socket plugin on x64 platform

Hui cao huica at ...589...
Mon Aug 10 15:14:10 EDT 2015


Hi Kiryukhin,

Thanks for reporting this issue. We will fix this in the future release.

Best,
Hui.

On 08/06/2015 08:58 AM, Kiryukhin Andrey wrote:
> Hello.
> Seems some bug in snort unix socket plugin on x64 platform.
>
> I have snort 2.9.7.5 and daq-2.0.6  on xubuntu 14.04 x64
>
> In file "spo_alert_unixsock.c"   there is function 
> AlertUnixSock(Packet *p, const char *msg, void *arg, Event *event) in 
> which:
>
>     static Alertpkt alertpkt;
>     .............
>     memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
>     sizeof(alertpkt.pkth));
>     .............
>
>
> where
>
>     sizeof(alertpkt.pkth) = 16 byte
>
>
> if we look at p->pkth :
>
>     typedef struct _daq_pkthdr
>     {
>         struct timeval ts;      /* Timestamp */           on x64
>     platform - 16 byte
>         .......
>
>
> if we look at alertpkt.pkth
>
>     typedef struct _Alertpkt
>     {
>         ..........
>         struct pcap_pkthdr32 pkth;     whole structure 16 byte!!
>         ........
>
>
> where
>
>     struct pcap_pkthdr32
>     {
>         struct sf_timeval32 ts;   /* packet timestamp */    8 byte !!!!
>         uint32_t caplen;          /* packet capture length */
>         uint32_t len;             /* packet "real" length */
>     };
>
>
>
> And so, we try to copy 16 byte  from p->pkth to alertpkt.pkth , but 
> first 16 byte in p->pkth is timeval, and all fields in
> alertpkt.pkth filled with one field timeval from p->pkth.
>
> In other words,  size of  timeval from p->pkth  !=  size of 
> sf_timeval32 from alertpkt.pkth
>
> Some fix for this bug:
>
>         /* instead
>
>             memmove( (void *)&alertpkt.pkth, (const void *)p->pkth, 
> sizeof(alertpkt.pkth));
>
>             do :
>         */
>
>         alertpkt.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
>         alertpkt.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
>         alertpkt.pkth.caplen = p->pkth->caplen;
>         alertpkt.pkth.len = p->pkth->pktlen;
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150810/6180d987/attachment.html>


More information about the Snort-users mailing list