Re: Re: [Snort-users] Bus error on sparc

["Andrew R. Baker" <andrewb () snort org>]

Michael Bell wrote:
> Andrew R. Baker wrote:
>
>> A better fix may be to do what pcap does for these cases.  When
>> constructing the pseudo packet, offset the start of the packet by N
>> bytes (where N = number of bytes to make the link layer portion *end*
>> on a word boundary).  I do this in Barnyard for *all* packets
>> regardless of what platform we are running on
>
>
> Is there no other way? This would require several fixes in decode.c.
>
> If you read decode.c carefully then you will see that there are several
> calls of this type:
>
> DecodeXYZ (p->pkt + ABC_HEADER_LEN, ...)

It is not quite as bad as it seems.  First, we only need to do this when
allocating memory to store a packet in (ie only in packets created by
stream4 and frag2).  Second, since all of the protocols above the link
layer are nicely aligned, it only needs to be done once.  Creating a new
packet would go something like this.

pkt_buffer = calloc(pkt_len + offset, sizeof(uchar));
pkt = pkt_buffer + offset;

offset is calculated by determing how many bytes shy of being word
aligned the link layer header is.  The packet is stored starting at pkt.
The only trick is to remember to free appropriately (ie free(pkt_buffer)
or free(pkt - offset)).

-A





-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users