Snort mailing list archives
Re: 2.9.2-rc segfaults
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 7 Dec 2011 11:01:22 -0500
Jim - thanks for reporting this. Would like to get some additional info to help get you a fix ASAP. Is this easily reproducible for you? If so, can you rebuild with --enable-debug and send the backtrace(s) from that? What type of box are you running on? Thanks Russ On Wed, Dec 7, 2011 at 10:45 AM, Jim Hranicky <jfh () ufl edu> wrote:
Hey SF folks, I'm getting segfaults with 2.9.2-rc . I was using
the pfring daq, and I thought that might be the problem, though
now I'm getting segfaults with just standard snort & the pcap
daq. Fortunately, they're segfaulting in different places :-/ .
Non-pf snort/pcap daq trace:
Core was generated by `/opt/local/bin/snort -D -i eth5
--daq-dir=/opt/local/lib/daq --daq pcap --daq-v'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe
<Address 0x7ff69b0d6bfe out of bounds>,
inbuf_size=1365,
outbuf=0x7fffa2a9ba00
"c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
outbuf_size=65535, output_bytes=0x7fffa2a9b9fc,
trim_spaces=1, folded=0x0) at util_unfold.c:55
55 if(((*cursor == ' ') || (*cursor == '\t')))
(gdb) where
#0 0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe
<Address 0x7ff69b0d6bfe out of bounds>,
inbuf_size=1365,
outbuf=0x7fffa2a9ba00
"c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
outbuf_size=65535, output_bytes=0x7fffa2a9b9fc,
trim_spaces=1, folded=0x0) at util_unfold.c:55
#1 0x00000000004cc16b in extract_http_transfer_encoding
(Session=0x12bdac0, hsd=0x331dec0,
p=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>,
start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>,
end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
header_ptr=0x7fffa2aabb40, iInspectMode=2)
at hi_server.c:570
#2 0x00000000004cc514 in extractHttpRespHeaderFieldValues
(ServerConf=0x2003eb0,
p=0x7ff69b0d6bfd <Address 0x7ff69b0d6bfd out of bounds>,
offset=0x7ff69b0d6bec <Address 0x7ff69b0d6bec out of bounds>,
start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>,
end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
header_ptr=0x7fffa2aabb40,
header_field_ptr=0x7fffa2aabac0, parse_cont_encoding=0,
hsd=0x331dec0, Session=0x12bdac0) at hi_server.c:656
#3 0x00000000004cc6ce in hi_server_extract_header (Session=0x12bdac0,
ServerConf=0x2003eb0,
header_ptr=0x7fffa2aabb40, start=0x7ff69b0d66ab <Address
0x7ff69b0d66ab out of bounds>,
end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>,
parse_cont_encoding=0, hsd=0x331dec0)
at hi_server.c:720
#4 0x00000000004ce051 in HttpResponseInspection (Session=0x12bdac0,
p=0x7fffa2aac050,
data=0x7ff69b0d669c <Address 0x7ff69b0d669c out of bounds>,
dsize=1380, sd=0x331dec0) at hi_server.c:1476
#5 0x00000000004ce729 in ServerInspection (Session=0x12bdac0,
p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1690
#6 0x00000000004ce79b in hi_server_inspection (S=0x12bdac0,
p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1721
#7 0x00000000004c4cf0 in hi_mi_mode_inspection (Session=0x12bdac0,
iInspectMode=2, p=0x7fffa2aac050, hsd=0x331dec0)
at hi_mi.c:98
#8 0x00000000004a6898 in SnortHttpInspect (GlobalConf=0x1fe0940,
p=0x7fffa2aac050) at snort_httpinspect.c:3507
#9 0x000000000049f05e in HttpInspect (p=0x7fffa2aac050, context=0x0)
at spp_httpinspect.c:212
#10 0x0000000000444983 in Preprocess (p=0x7fffa2aac050) at detect.c:172
#11 0x0000000000437066 in ProcessPacket (user=0x0,
pkthdr=0x7fffa2aacca0,
pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>, ft=0x0)
at snort.c:1576
#12 0x0000000000436cc8 in PacketCallback (user=0x0,
pkthdr=0x7fffa2aacca0,
pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>) at
snort.c:1486
#13 0x0000000000513f55 in pcap_process_loop ()
#14 0x00007ff6a045d7d5 in pcap_read_linux_mmap () from
/opt/local/lib/libpcap.so.1
#15 0x000000000051417f in pcap_daq_acquire ()
#16 0x000000000045bfac in DAQ_Acquire (max=-1, callback=0x436af3
<PacketCallback>, user=0x0) at sfdaq.c:514
#17 0x000000000043980b in PacketLoop () at snort.c:2899
#18 0x0000000000435d2c in SnortMain (argc=17, argv=0x7fffa2aacf58) at
snort.c:764
#19 0x0000000000435c06 in main (argc=17, argv=0x7fffa2aacf58) at
snort.c:687
Here's a traceback on the pfring daq:
#0 0x00000000004da6ca in TcpSessionCleanup (lwssn=0x2ae0ab0) at
snort_stream5_tcp.c:4644
#1 0x00000000004ec136 in DeleteLWSession (sessionCache=0x16c77f0,
ssn=0x2ae0ab0,
delete_reason=0x55b4d2 "memcap/stale") at snort_stream5_session.c:651
#2 0x00000000004ec670 in PruneLWSessionCache (sessionCache=0x16c77f0,
thetime=0, save_me=0x0, memCheck=0)
at snort_stream5_session.c:868
#3 0x00000000004ec892 in NewLWSession (sessionCache=0x16c77f0,
p=0x7fffffffd400, key=0x7fffffffd290,
policy=0x7ffff2e65010) at snort_stream5_session.c:931
#4 0x00000000004dadc2 in Stream5ProcessTcp (p=0x7fffffffd400, lwssn=0x0,
s5TcpPolicy=0x7ffff2e65010,
skey=0x7fffffffd290) at snort_stream5_tcp.c:5070
#5 0x00000000004b4906 in Stream5Process (p=0x7fffffffd400, context=0x0)
at spp_stream5.c:1411
#6 0x0000000000444993 in Preprocess (p=0x7fffffffd400) at detect.c:172
#7 0x0000000000437076 in ProcessPacket (user=0x0, pkthdr=0x7fffffffe070,
pkt=0x7ffff183675b "", ft=0x0)
at snort.c:1576
#8 0x0000000000436cd8 in PacketCallback (user=0x0,
pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "") at snort.c:1486
#9 0x00007ffff211c656 in pfring_daq_acquire (handle=0x286d360, cnt=-1,
callback=0x436b03 <PacketCallback>,
user=0x0) at daq_pfring.c:407
#10 0x000000000045bfbc in DAQ_Acquire (max=-1, callback=0x436b03
<PacketCallback>, user=0x0) at sfdaq.c:514
#11 0x000000000043981b in PacketLoop () at snort.c:2899
#12 0x0000000000435d3c in SnortMain (argc=16, argv=0x7fffffffe398) at
snort.c:764
#13 0x0000000000435c16 in main (argc=16, argv=0x7fffffffe398) at
snort.c:687
Here's a traceback on the pcap (linked against pfring) DAQ:
Core was generated by `/opt/pf/bin/snort -D -i eth5
--daq-dir=/opt/pf/lib/daq
--daq pcap --daq-var clu'.
#0 0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at
snort_stream5_tcp.c:4644
4644 p.tcph->th_sport, p.tcph->th_dport,
(gdb) where
#0 0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at
snort_stream5_tcp.c:4644
#1 0x00000000004ec9a6 in DeleteLWSession (sessionCache=0x200ae80,
ssn=0x341a9f0,
delete_reason=0x5763f2 "memcap/stale") at snort_stream5_session.c:651
#2 0x00000000004ecee0 in PruneLWSessionCache (sessionCache=0x200ae80,
thetime=0, save_me=0x0, memCheck=0)
at snort_stream5_session.c:868
#3 0x00000000004ed102 in NewLWSession (sessionCache=0x200ae80,
p=0x7fffc43cea30, key=0x7fffc43ce8c0,
policy=0x7f14b62b1010) at snort_stream5_session.c:931
#4 0x00000000004db632 in Stream5ProcessTcp (p=0x7fffc43cea30, lwssn=0x0,
s5TcpPolicy=0x7f14b62b1010,
skey=0x7fffc43ce8c0) at snort_stream5_tcp.c:5070
#5 0x00000000004b5176 in Stream5Process (p=0x7fffc43cea30, context=0x0)
at spp_stream5.c:1411
#6 0x0000000000445203 in Preprocess (p=0x7fffc43cea30) at detect.c:172
#7 0x00000000004378e6 in ProcessPacket (user=0x0, pkthdr=0x7fffc43cf680,
pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>, ft=0x0) at
snort.c:1576
#8 0x0000000000437548 in PacketCallback (user=0x0, pkthdr=0x7fffc43cf680,
pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>) at
snort.c:1486
#9 0x00000000005147b5 in pcap_process_loop (user=<value optimized out>,
pkth=<value optimized out>,
data=<value optimized out>) at daq_pcap.c:357
#10 0x00000000005177ba in pcap_read_linux ()
#11 0x00000000005149bd in pcap_daq_acquire (handle=0x2c770b0, cnt=-1,
callback=<value optimized out>,
user=<value optimized out>) at daq_pcap.c:375
#12 0x000000000045c82c in DAQ_Acquire (max=-1, callback=0x437373
<PacketCallback>, user=0x0) at sfdaq.c:514
#13 0x000000000043a08b in PacketLoop () at snort.c:2899
#14 0x00000000004365ac in SnortMain (argc=17, argv=0x7fffc43cf9d8) at
snort.c:764
#15 0x0000000000436486 in main (argc=17, argv=0x7fffc43cf9d8) at
snort.c:687
(gdb) p p.tcph
$1 = (const TCPHdr *) 0x0
I have cores and executables if anyone's interested.
--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point
of
discussion for anyone considering optimizing the pricing and packaging
model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- 2.9.2-rc segfaults Jim Hranicky (Dec 07)
- Re: 2.9.2-rc segfaults Russ Combs (Dec 07)
- Re: 2.9.2-rc segfaults Jim Hranicky (Dec 07)
- Re: 2.9.2-rc segfaults Russ Combs (Dec 07)