Snort mailing list archives

snort 1.8

From: Phil Wood <cpw () lanl gov>
Date: Wed, 11 Jul 2001 19:27:00 -0600

Have any of you folks seen core dumps where p->sp is 443.  I've
had about 15 since 7/10:evening.  They are the only segmentation
faults I'm getting.  I'm getting them on two different machines.
One is running redhat 6.2, the other redhat 7.0.  However, I
built the snorts using my own libpcap (the snort is not from redhat).
They all have the same stack with exception of the specific data.

When I turn off stream4 reassembly, they don't happen anymore.

(gdb) print *p
$7 = {pkth = 0xbffff518, pkt = 0x40b5a672 "", fddihdr = 0x0, fddisaps = 0x0, 
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, 
  trhmr = 0x0, sllh = 0x0, eh = 0x40b5a672, vh = 0x0, ehllc = 0x0, 
  ehllcother = 0x0, ah = 0x0, iph = 0x40b5a680, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x40b5a694, 
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, 
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, 
  data = 0x40b5a6a8 "\027\003", dsize = 65438, frag_flag = 0 '\000', 
  frag_offset = 0, mf = 0 '\000', df = 1 '\001', rf = 0 '\000', sp = 443, 
  dp = 1658, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, 
    length = 0}, ssnptr = 0x86f10c0, ip_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4, 
  wire_packet = 0 '\000'}

gdb) where
#0  0x80549eb in mSearch (buf=0x40b5a6a8 "\027\003", blen=65438, 
    ptrn=0x81a6df8 "0123456789a", plen=11, skip=0x81a6e08, shift=0x81a7210)
    at mstring.c:491
491             while(buf[--b_idx] == ptrn[--p_idx])
(gdb) print p_idx
$5 = 10
(gdb) print b_idx
$6 = 3986


#1  0x805b97b in CheckANDPatternMatch (p=0xbffff02c, otn_idx=0x81a6380, 
    fp_list=0x81a7240) at sp_pattern_match.c:723
#2  0x8058ff0 in EvalOpts (List=0x81a6380, p=0xbffff02c) at rules.c:4026
#3  0x80579d3 in EvalHeader (rtn_idx=0x818b8f0, p=0xbffff02c) at rules.c:3745
#4  0x8058f83 in EvalPacket (List=0x8126cb8, mode=2, p=0xbffff02c)
    at rules.c:3673
#5  0x80578a1 in Detect (p=0xbffff02c) at rules.c:3565
#6  0x8058e92 in Preprocess (p=0xbffff02c) at rules.c:3433
#7  0x804c770 in ProcessPacket (user=0x0, pkthdr=0xbffff518, pkt=0x40b5a672 "")
    at snort.c:514
#8  0x808099c in packet_ring_recv ()
#9  0x8080cd4 in pcap_read ()
#10 0x8081a73 in pcap_loop ()
#11 0x804de87 in InterfaceThread (arg=0x0) at snort.c:1447
#12 0x804c654 in main (argc=17, argv=0xbffff70c) at snort.c:447


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 1.8 John Johnson (Jul 11)
- RE: snort 1.8 Bill Gercken (Jul 11)
- Message not available
  - RE: snort 1.8 John Johnson (Jul 11)
    - Re: snort 1.8 Fyodor (Jul 11)
    - Re: snort 1.8 Scott Nursten (Jul 12)
    - Re: snort 1.8 Fyodor (Jul 12)
    - Re: snort 1.8 Scott Nursten (Jul 12)
- <Possible follow-ups>
- snort 1.8 Phil Wood (Jul 11)