Snort mailing list archives
Re: Bus error on sparc
From: Michael Bell <michael.bell () cms hu-berlin de>
Date: Wed, 14 May 2003 16:44:43 +0200
Hi,I made finally some small fixes in decode.(c|h) and some more fixes in spp_stream4.c. I removed SPARC_TWIDDLE from spp_stream4.c and changed the code for alignment a little bit.
Can a more experienced snort developer verify the diffs please? I only made some small hacks to fix the bus errors but of course I cannot say that I know what I'm doing :)
Without the patch it is possible to crash snort on sparc with some wellformed packets (even if stream4 is not activated).
Thanks Michael -- ------------------------------------------------------------------- Michael Bell Email: michael.bell () cms hu-berlin de ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): michael.bell () web de Germany http://www.openca.org
--- snort-2.0.0/src/decode.c 2003-04-09 21:18:23.000000000 +0200
+++ decode.c 2003-05-14 13:27:09.000000000 +0200
@@ -42,7 +42,6 @@
HttpUri UriBufs[URI_COUNT];
u_int8_t DecodeBuffer[DECODE_BLEN];
-
/*
* Function: DecodeEthPkt(Packet *, char *, struct pcap_pkthdr*, u_int8_t*)
*
@@ -2326,8 +2325,10 @@
if(pv.checksums_mode & DO_UDP_CHECKSUMS)
{
/* look at the UDP checksum to make sure we've got a good packet */
- ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);
- ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr);
+ // ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);
+ // ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr);
+ ph.sip = get_u_int32_t (&p->iph->ip_src.s_addr);
+ ph.dip = get_u_int32_t (&p->iph->ip_dst.s_addr);
ph.zero = 0;
ph.protocol = p->iph->ip_proto;
/* ph.udplen is up there */
@@ -3233,3 +3234,24 @@
pv.decoder_flags.tcpopt_decode = 1;
pv.decoder_flags.ipopt_decode = 1;
}
+
+u_int8_t get_u_int8_t (void *buffer)
+{
+ u_int8_t i;
+ memcpy (&i, buffer, sizeof (u_int8_t));
+ return i;
+}
+
+u_int16_t get_u_int16_t (void *buffer)
+{
+ u_int16_t i;
+ memcpy (&i, buffer, sizeof (u_int16_t));
+ return i;
+}
+
+u_int32_t get_u_int32_t (void *buffer)
+{
+ u_int32_t i;
+ memcpy (&i, buffer, sizeof (u_int32_t));
+ return i;
+}
--- snort-2.0.0/src/decode.h 2003-04-09 17:45:13.000000000 +0200
+++ decode.h 2003-05-14 13:27:09.000000000 +0200
@@ -1229,6 +1229,10 @@
void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);
void DecodePPPoEPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
+u_int8_t get_u_int8_t (void *buffer);
+u_int16_t get_u_int16_t (void *buffer);
+u_int32_t get_u_int32_t (void *buffer);
+
/* XXX not sure where this guy needs to live at the moment */
typedef struct _PortList
{
--- snort-2.0.0/src/preprocessors/spp_stream4.c 2003-04-11 22:45:17.000000000 +0200
+++ spp_stream4.c 2003-05-14 14:23:58.000000000 +0200
@@ -149,16 +149,6 @@
extern int *file_line;
#endif /* SNORT_20 */
-
-/* We must twiddle to align the offset the ethernet header and align
- the IP header on solaris -- maybe this will work on HPUX too.
-*/
-#if defined (SOLARIS) || defined (SUNOS) || defined (HPUX)
-#define SPARC_TWIDDLE 2
-#else
-#define SPARC_TWIDDLE 0
-#endif
-
/* values for the smartbits detector/self perservation */
#define SELF_PRES_THRESHOLD 50
#define SELF_PRES_PERIOD 90
@@ -1444,7 +1434,13 @@
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "p->tcph is null, returning\n"););
return 1;
}
-
+
+ if(p->iph->ip_proto != IPPROTO_TCP)
+ {
+ DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "ip protocol is not tcp, returning\n"););
+ return 1;
+ }
+
if(p->packet_flags & PKT_REBUILT_STREAM)
{
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "REBUILT_STREAM returning\n"););
@@ -3847,18 +3843,24 @@
void InitStream4Pkt()
{
- stream_pkt->pkth = calloc(sizeof(SnortPktHeader)+
- ETHERNET_HEADER_LEN +
- SPARC_TWIDDLE + IP_MAXPACKET,
- sizeof(char));
-
+ stream_pkt->pkth = SafeAlloc(sizeof(SnortPktHeader)+
+ sizeof(EtherHdr) +
+ sizeof(IPHdr) +
+ sizeof(TCPHdr) +
+ IP_MAXPACKET +
+ 6, /* maximum lost through two memory alignments */
+ 0 , NULL);
+
+ /* take care about 4-byte memory alignment of several architectures */
+ /* pkth is correctly aligned for every variable */
+ /* eh and iph must be aligned by the software */
stream_pkt->pkt = ((u_int8_t *)stream_pkt->pkth) + sizeof(SnortPktHeader);
- stream_pkt->eh = (EtherHdr *)((u_int8_t *)stream_pkt->pkt + SPARC_TWIDDLE);
- stream_pkt->iph =
- (IPHdr *)((u_int8_t *)stream_pkt->eh + ETHERNET_HEADER_LEN);
- stream_pkt->tcph = (TCPHdr *)((u_int8_t *)stream_pkt->iph + IP_HEADER_LEN);
+ stream_pkt->pkt += (4 - (sizeof(SnortPktHeader) %4)) %4;
+ stream_pkt->eh = (EtherHdr *)((u_int8_t *)stream_pkt->pkt);
+ stream_pkt->iph = (IPHdr *)((u_int8_t *)stream_pkt->eh + sizeof(EtherHdr) + (4-(sizeof(EtherHdr) %4))%4);
+ stream_pkt->tcph = (TCPHdr *)((u_int8_t *)stream_pkt->iph + sizeof(IPHdr));
- stream_pkt->data = (u_int8_t *)stream_pkt->tcph + TCP_HEADER_LEN;
+ stream_pkt->data = (u_int8_t *)stream_pkt->tcph + sizeof(TCPHdr);
stream_pkt->eh->ether_type = htons(0x0800);
SET_IP_VER(stream_pkt->iph, 0x4);
@@ -3870,6 +3872,12 @@
SET_TCP_OFFSET(stream_pkt->tcph,0x5);
stream_pkt->tcph->th_flags = TH_PUSH|TH_ACK;
+
+ /* try to crash ip header via sigbus error */
+ /* this is code to test the alignment */
+ /* if the alignment is wrong then the code crashs here */
+ stream_pkt->iph->ip_src.s_addr = 0;
+ stream_pkt->iph->ip_dst.s_addr = 0;
}
Current thread:
- Bus error on sparc Michael Bell (May 12)
- Re: Bus error on sparc Michael Bell (May 13)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Andrew R. Baker (May 15)
- Re: Bus error on sparc Michael Bell (May 16)
- Re: Re: [Snort-users] Bus error on sparc Andrew R. Baker (May 16)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 13)