Snort mailing list archives
Re: snort 1.8.4b1 dumping core
From: Fyodor <fygrave () tigerteam net>
Date: Mon, 4 Feb 2002 23:06:28 +0700
(gdb) bt #0 pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address 0xc out of bounds>) at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121 #1 0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0, user=0x0) at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
That's very interesting. Pcap_t struct ptr which we pass to pcap_loop is a meaningful pointer but pcap_read already has it set to NULL. Very likely something messy has happened. (also user ptr got overwritten, that normally shouldn't happen). Strange that it didn't coredump somewhere at the beginning of pcap_read(): pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { int cc; int n = 0; register u_char *bp, *ep; again: cc = p->cc; if (p->cc == 0) { cc = read(p->fd, (char *)p->buffer, p->bufsize); if (cc < 0) { ... i.g. it assumes p to be a valid ptr.
121 caplen = bhp->bh_caplen;
probably fails here: .... bp = p->buffer; } else bp = p->bp; .... #define bhp ((struct bpf_hdr *)bp) ... caplen = bhp->bh_caplen; either p->buffer or p->bp is not valid ptr here.
(gdb) print bp $1 = (u_char *) 0x169c084 <Address 0x169c084 out of bounds>
... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 02)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 02)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
- Re: snort 1.8.4b1 dumping core Fyodor (Feb 02)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 03)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 03)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 03)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 03)
- Re: snort 1.8.4b1 dumping core Fyodor (Feb 04)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 15)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 15)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 15)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 15)
- Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 02)