Snort mailing list archives
Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta
From: "Costas Kleopa (ckleopa)" <ckleopa () cisco com>
Date: Thu, 10 Sep 2015 20:56:11 +0000
Thank you for reporting this issue also. We will add a fix for this too.
On Sep 10, 2015, at 4:43 PM, Bill Parker <wp02855 () gmail com> wrote: Hello All, In reviewing code in directory 'tools/u2streamer', file 'Unified2File.c', I ran across the comment below: /* XXX we should check that we are in the HEADER_READY state */ The patch file below adds the check requested, and additionally checks a call to lseek() further down in the code which is not checked for a return value of < 0, indicating error: ======================================================================= --- Unified2File.c.orig 2015-09-10 09:36:35.103000000 -0700 +++ Unified2File.c 2015-09-10 09:58:34.475000000 -0700 @@ -108,15 +108,19 @@ if(!u2_file->u2_record) { /* XXX we should check that we are in the HEADER_READY state */ - if(!(u2_file->u2_record = (Unified2Record *)calloc(1, - sizeof(Unified2Record)))) - { - fprintf(stderr, "Out of memory (wanted %zu bytes)", - sizeof(Unified2Record)); - return SF_ENOMEM; - } - u2_file->read_offset = 0; - u2_file->read_status = U2FILE_STATUS_HEADER_READY; + if(u2_file->read_status == U2FILE_STATUS_HEADER_READY) + { + u2_file->u2_record = (Unified2Record *) calloc(1, sizeof(Unified2Record)); + + if(!u2_file->u2_record) + { + fprintf(stderr, "Out of memory (wanted %zu bytes)", + sizeof(Unified2Record)); + return SF_ENOMEM; + } + u2_file->read_offset = 0; + u2_file->read_status = U2FILE_STATUS_HEADER_READY; + } } if(u2_file->read_status == U2FILE_STATUS_HEADER_READY @@ -176,6 +180,13 @@ { /* Seek back to where we started, in case we want to try again */ off_t rval = lseek(u2_file->fd, (0 - bytes_read), SEEK_CUR); + if (rval == -1) { + fprintf(stderr, "Error on Seek backwards...\n"); + u2_file->read_errno = errno; + u2_file->read_status = U2FILE_STATUS_NOT_READY; + return SF_ESEEK; + } + fprintf(stderr, "Seek backwards %zu bytes, seek returns %ld", bytes_read, rval); error_count++; ======================================================================= The patch file below adds a new code for when seek()/lseek()/fseek() returns a error value: --- sf_error.h.orig 2015-09-10 10:12:36.391000000 -0700 +++ sf_error.h 2015-09-10 10:13:16.686000000 -0700 @@ -64,6 +64,7 @@ #define SF_EUSER_LIMIT_REACHED 56 /* Couldn't create user - license limit reached*/ #define SF_EDELETE 57 /* Error in deleting file or entry in memory */ #define SF_EMEM 58 /* Error in manipulating memory */ +#define SF_ESEEK 70 /* Seek error (file i/o) */ #define SF_NITRO_DUPLICATE 114 /* duplicate key */ /** ======================================================================= The patch file below adds a new descriptive string for the matching value in sf_error.h: --- sf_error.c.orig 2015-09-10 10:19:08.505000000 -0700 +++ sf_error.c 2015-09-10 10:20:13.149000000 -0700 @@ -64,6 +64,7 @@ "Couldn't create user - license limit reached", // 56 - SF_EUSER_LIMIT_REACHED "Error in deleting file or entry in memory", // 57 - SF_EDELETE "Error manipulating memory" // 58 - SF_EMEM + "Seek error" // 70 - SF_ESEEK }; #define SF_MAX_ERRNUM (sizeof(SF_errstrings)/sizeof(SF_errstrings[0])) ======================================================================= I am attaching the patch files to this bug report... Questions, Comments, Suggestions, Complaints? :) Bill Parker (wp02855 at gmail dot com) <m00000000!> <sf_error.c.patch><sf_error.h.patch><Unified2File.c.patch>------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Improvement to Unified2File.c in Snort-2.9.8.0 beta Bill Parker (Sep 10)
- Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta Ed Borgoyn (eborgoyn) (Sep 10)
- Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta Costas Kleopa (ckleopa) (Sep 10)