Snort mailing list archives
Re: Bus error on sparc
From: Michael Bell <michael.bell () cms hu-berlin de>
Date: Fri, 16 May 2003 09:39:55 +0200
Andrew R. Baker wrote:
A better fix may be to do what pcap does for these cases. When constructing the pseudo packet, offset the start of the packet by N bytes (where N = number of bytes to make the link layer portion *end* on a word boundary). I do this in Barnyard for *all* packets regardless of what platform we are running on
Is there no other way? This would require several fixes in decode.c.If you read decode.c carefully then you will see that there are several calls of this type:
DecodeXYZ (p->pkt + ABC_HEADER_LEN, ...)Every such call without a verification of the address is a potential alignmentbug. So perhaps we have some luck and other headers than ethernet which are divisible by 4 but if not then there is a problem too. It looks like hardwareoriented headers are really optimized. Another option is that the direct use of integerfields in the headers was never planned by the snort developers.
I checked barnyard but I cannot find the code where you fix the alignment. Can you give an advice? I only find a macro EXTRACT_32BITS which do nearly the same like my function get_u_int32_t. This would fix the address problems.
Another idea is the kind of the bug in DecodeUDP. It happens during an assignment but
u_int32_t i = p->value; is the same like memcpy (&i, &p->value, sizeof (u_int32_t)); ... except of the alignment problems.So what should I do with decode.c? I attached a much more simple patch but why the code fails only for these to integers?
Michael P.S. the diff for spp_stream4.c is still the same. -- ------------------------------------------------------------------- Michael Bell Email: michael.bell () cms hu-berlin de ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): michael.bell () web de Germany http://www.openca.org
--- decode.c 2003-04-09 21:18:23.000000000 +0200 +++ /root/snort-patch/snort-2.0.0/src/decode.c 2003-05-16 09:13:30.000000000 +0200 @@ -42,7 +42,6 @@ HttpUri UriBufs[URI_COUNT]; u_int8_t DecodeBuffer[DECODE_BLEN]; - /* * Function: DecodeEthPkt(Packet *, char *, struct pcap_pkthdr*, u_int8_t*) * @@ -2326,8 +2325,8 @@ if(pv.checksums_mode & DO_UDP_CHECKSUMS) { /* look at the UDP checksum to make sure we've got a good packet */ - ph.sip = (u_int32_t)(p->iph->ip_src.s_addr); - ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr); + memcpy (&ph.sip, &p->iph->ip_src.s_addr, sizeof (u_int32_t)); + memcpy (&ph.dip, &p->iph->ip_dst.s_addr, sizeof (u_int32_t)); ph.zero = 0; ph.protocol = p->iph->ip_proto; /* ph.udplen is up there */
Current thread:
- Bus error on sparc Michael Bell (May 12)
- Re: Bus error on sparc Michael Bell (May 13)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Andrew R. Baker (May 15)
- Re: Bus error on sparc Michael Bell (May 16)
- Re: Re: [Snort-users] Bus error on sparc Andrew R. Baker (May 16)
- Re: Bus error on sparc Michael Bell (May 14)
- Re: Bus error on sparc Michael Bell (May 13)