Snort mailing list archives
Re: 2.9.2-rc segfaults
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 7 Dec 2011 11:01:22 -0500
Jim - thanks for reporting this. Would like to get some additional info to help get you a fix ASAP. Is this easily reproducible for you? If so, can you rebuild with --enable-debug and send the backtrace(s) from that? What type of box are you running on? Thanks Russ On Wed, Dec 7, 2011 at 10:45 AM, Jim Hranicky <jfh () ufl edu> wrote:
Hey SF folks, I'm getting segfaults with 2.9.2-rc . I was using the pfring daq, and I thought that might be the problem, though now I'm getting segfaults with just standard snort & the pcap daq. Fortunately, they're segfaulting in different places :-/ . Non-pf snort/pcap daq trace: Core was generated by `/opt/local/bin/snort -D -i eth5 --daq-dir=/opt/local/lib/daq --daq pcap --daq-v'. Program terminated with signal 11, Segmentation fault. #0 0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, inbuf_size=1365, outbuf=0x7fffa2a9ba00 "c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004", outbuf_size=65535, output_bytes=0x7fffa2a9b9fc, trim_spaces=1, folded=0x0) at util_unfold.c:55 55 if(((*cursor == ' ') || (*cursor == '\t'))) (gdb) where #0 0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, inbuf_size=1365, outbuf=0x7fffa2a9ba00 "c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004", outbuf_size=65535, output_bytes=0x7fffa2a9b9fc, trim_spaces=1, folded=0x0) at util_unfold.c:55 #1 0x00000000004cc16b in extract_http_transfer_encoding (Session=0x12bdac0, hsd=0x331dec0, p=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, header_ptr=0x7fffa2aabb40, iInspectMode=2) at hi_server.c:570 #2 0x00000000004cc514 in extractHttpRespHeaderFieldValues (ServerConf=0x2003eb0, p=0x7ff69b0d6bfd <Address 0x7ff69b0d6bfd out of bounds>, offset=0x7ff69b0d6bec <Address 0x7ff69b0d6bec out of bounds>, start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, header_ptr=0x7fffa2aabb40, header_field_ptr=0x7fffa2aabac0, parse_cont_encoding=0, hsd=0x331dec0, Session=0x12bdac0) at hi_server.c:656 #3 0x00000000004cc6ce in hi_server_extract_header (Session=0x12bdac0, ServerConf=0x2003eb0, header_ptr=0x7fffa2aabb40, start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, parse_cont_encoding=0, hsd=0x331dec0) at hi_server.c:720 #4 0x00000000004ce051 in HttpResponseInspection (Session=0x12bdac0, p=0x7fffa2aac050, data=0x7ff69b0d669c <Address 0x7ff69b0d669c out of bounds>, dsize=1380, sd=0x331dec0) at hi_server.c:1476 #5 0x00000000004ce729 in ServerInspection (Session=0x12bdac0, p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1690 #6 0x00000000004ce79b in hi_server_inspection (S=0x12bdac0, p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1721 #7 0x00000000004c4cf0 in hi_mi_mode_inspection (Session=0x12bdac0, iInspectMode=2, p=0x7fffa2aac050, hsd=0x331dec0) at hi_mi.c:98 #8 0x00000000004a6898 in SnortHttpInspect (GlobalConf=0x1fe0940, p=0x7fffa2aac050) at snort_httpinspect.c:3507 #9 0x000000000049f05e in HttpInspect (p=0x7fffa2aac050, context=0x0) at spp_httpinspect.c:212 #10 0x0000000000444983 in Preprocess (p=0x7fffa2aac050) at detect.c:172 #11 0x0000000000437066 in ProcessPacket (user=0x0, pkthdr=0x7fffa2aacca0, pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>, ft=0x0) at snort.c:1576 #12 0x0000000000436cc8 in PacketCallback (user=0x0, pkthdr=0x7fffa2aacca0, pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>) at snort.c:1486 #13 0x0000000000513f55 in pcap_process_loop () #14 0x00007ff6a045d7d5 in pcap_read_linux_mmap () from /opt/local/lib/libpcap.so.1 #15 0x000000000051417f in pcap_daq_acquire () #16 0x000000000045bfac in DAQ_Acquire (max=-1, callback=0x436af3 <PacketCallback>, user=0x0) at sfdaq.c:514 #17 0x000000000043980b in PacketLoop () at snort.c:2899 #18 0x0000000000435d2c in SnortMain (argc=17, argv=0x7fffa2aacf58) at snort.c:764 #19 0x0000000000435c06 in main (argc=17, argv=0x7fffa2aacf58) at snort.c:687 Here's a traceback on the pfring daq: #0 0x00000000004da6ca in TcpSessionCleanup (lwssn=0x2ae0ab0) at snort_stream5_tcp.c:4644 #1 0x00000000004ec136 in DeleteLWSession (sessionCache=0x16c77f0, ssn=0x2ae0ab0, delete_reason=0x55b4d2 "memcap/stale") at snort_stream5_session.c:651 #2 0x00000000004ec670 in PruneLWSessionCache (sessionCache=0x16c77f0, thetime=0, save_me=0x0, memCheck=0) at snort_stream5_session.c:868 #3 0x00000000004ec892 in NewLWSession (sessionCache=0x16c77f0, p=0x7fffffffd400, key=0x7fffffffd290, policy=0x7ffff2e65010) at snort_stream5_session.c:931 #4 0x00000000004dadc2 in Stream5ProcessTcp (p=0x7fffffffd400, lwssn=0x0, s5TcpPolicy=0x7ffff2e65010, skey=0x7fffffffd290) at snort_stream5_tcp.c:5070 #5 0x00000000004b4906 in Stream5Process (p=0x7fffffffd400, context=0x0) at spp_stream5.c:1411 #6 0x0000000000444993 in Preprocess (p=0x7fffffffd400) at detect.c:172 #7 0x0000000000437076 in ProcessPacket (user=0x0, pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "", ft=0x0) at snort.c:1576 #8 0x0000000000436cd8 in PacketCallback (user=0x0, pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "") at snort.c:1486 #9 0x00007ffff211c656 in pfring_daq_acquire (handle=0x286d360, cnt=-1, callback=0x436b03 <PacketCallback>, user=0x0) at daq_pfring.c:407 #10 0x000000000045bfbc in DAQ_Acquire (max=-1, callback=0x436b03 <PacketCallback>, user=0x0) at sfdaq.c:514 #11 0x000000000043981b in PacketLoop () at snort.c:2899 #12 0x0000000000435d3c in SnortMain (argc=16, argv=0x7fffffffe398) at snort.c:764 #13 0x0000000000435c16 in main (argc=16, argv=0x7fffffffe398) at snort.c:687 Here's a traceback on the pcap (linked against pfring) DAQ: Core was generated by `/opt/pf/bin/snort -D -i eth5 --daq-dir=/opt/pf/lib/daq --daq pcap --daq-var clu'. #0 0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at snort_stream5_tcp.c:4644 4644 p.tcph->th_sport, p.tcph->th_dport, (gdb) where #0 0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at snort_stream5_tcp.c:4644 #1 0x00000000004ec9a6 in DeleteLWSession (sessionCache=0x200ae80, ssn=0x341a9f0, delete_reason=0x5763f2 "memcap/stale") at snort_stream5_session.c:651 #2 0x00000000004ecee0 in PruneLWSessionCache (sessionCache=0x200ae80, thetime=0, save_me=0x0, memCheck=0) at snort_stream5_session.c:868 #3 0x00000000004ed102 in NewLWSession (sessionCache=0x200ae80, p=0x7fffc43cea30, key=0x7fffc43ce8c0, policy=0x7f14b62b1010) at snort_stream5_session.c:931 #4 0x00000000004db632 in Stream5ProcessTcp (p=0x7fffc43cea30, lwssn=0x0, s5TcpPolicy=0x7f14b62b1010, skey=0x7fffc43ce8c0) at snort_stream5_tcp.c:5070 #5 0x00000000004b5176 in Stream5Process (p=0x7fffc43cea30, context=0x0) at spp_stream5.c:1411 #6 0x0000000000445203 in Preprocess (p=0x7fffc43cea30) at detect.c:172 #7 0x00000000004378e6 in ProcessPacket (user=0x0, pkthdr=0x7fffc43cf680, pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>, ft=0x0) at snort.c:1576 #8 0x0000000000437548 in PacketCallback (user=0x0, pkthdr=0x7fffc43cf680, pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>) at snort.c:1486 #9 0x00000000005147b5 in pcap_process_loop (user=<value optimized out>, pkth=<value optimized out>, data=<value optimized out>) at daq_pcap.c:357 #10 0x00000000005177ba in pcap_read_linux () #11 0x00000000005149bd in pcap_daq_acquire (handle=0x2c770b0, cnt=-1, callback=<value optimized out>, user=<value optimized out>) at daq_pcap.c:375 #12 0x000000000045c82c in DAQ_Acquire (max=-1, callback=0x437373 <PacketCallback>, user=0x0) at sfdaq.c:514 #13 0x000000000043a08b in PacketLoop () at snort.c:2899 #14 0x00000000004365ac in SnortMain (argc=17, argv=0x7fffc43cf9d8) at snort.c:764 #15 0x0000000000436486 in main (argc=17, argv=0x7fffc43cf9d8) at snort.c:687 (gdb) p p.tcph $1 = (const TCPHdr *) 0x0 I have cores and executables if anyone's interested. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- 2.9.2-rc segfaults Jim Hranicky (Dec 07)
- Re: 2.9.2-rc segfaults Russ Combs (Dec 07)
- Re: 2.9.2-rc segfaults Jim Hranicky (Dec 07)
- Re: 2.9.2-rc segfaults Russ Combs (Dec 07)