Re: Snort++: MIND THE STACK when mixing C and LUA!

[Russ <rucombs () cisco com>]

Thanks Sancho, we'll get those cleaned up.  We are already working on 
the MODULE_PROFILE_END() issues.

Russ

On 7/16/15 5:51 AM, Sancho Panza wrote:
> I discovered a bug in Snort++ that seems to be kind of systematic.
>
> What did I do? I tried to use the "lualert" LUA logger contained in the
> extras package.
>
> I configured Snort with on single rule to strike on every single IP
> packet.
> Next I started Snort with "-r 1million.dump" to process the traffic in a
> pcap file containing 1 million packets.
>
> After logging quite a couple of packets, Snort aborted with a
> Segmentation fault.
>
> Turns out this was due to a stack overflow caused by quite a careless
> use of lua_pcall():
>
> In loggers/alert_luajit.cc, there is a call to lua_pcall(L, 0, 1, 0)
> which, as indicated by the third parameter, returns one result on the
> lua stack. Alas, this result is never removed from the stack by a
> subsequent call to lua_pop(L, 1).
> I also noticed that this function features two calls to
> MODULE_PROFILE_END() which in case of an error would BOTH be executed
> (which is probably wrong).
>
>
> Later I searched for lua_pcall() in the whole Snort++ sources and found
> mroe problems:
>
> helpers/chunk.cc:
>
> Line 101 has a call to lua_pcall(L, 0, 1, 0), also with one result
> returned on the stack. In fact, there is a subsequent call to lua_pop()
> at the end, but in between, there are quite a few return statements that
> can be reached before lua_pop() gets executed, leaving the stack in an
> unclean state.
>
> ips_options/ips_luajit.cc:
>
> Again, Line 201 has a call to lua_pcall(L, 0, 1, 0) with a subsequent
> call to lua_pop(), which won't be reached if lua_pcall() fails!
>
> main/shell.cc:
>
> Function run_config has a call to lua_pcall(L, 1, 1, 0) without a
> corresponding lua_pop() to remove the result from the stack.
>
> Regards,
>
> Sancho
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!