Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Version 1.8-beta8 (Build 33)

From: Phil Wood <cpw () lanl gov>
Date: Tue, 3 Jul 2001 16:31:14 -0600

Folks,

Have you that stand on the edge, seen a case where snort will segmentation
fault upon receipt of a SIGTERM.  In particular gdb shows:

#0  0x8079683 in BuildPacket (s=0x8580c74, stream_size=4344, p=0xbfffef88)
    at spp_stream4.c:1998
#1  0x8079451 in FlushStream (s=0x8580c74, p=0xbfffef88) at spp_stream4.c:1924
#2  0x807815a in ReassembleStream4 (p=0xbfffef88) at spp_stream4.c:840
#3  0x805719a in Preprocess (p=0xbfffef88) at rules.c:3423
#4  0x804b9c3 in ProcessPacket (user=0x0, pkthdr=0xbffff458, pkt=0x403a9672 "")
    at snort.c:512
#5  0x8079f6f in packet_ring_recv ()
#6  0x807a2ae in pcap_read ()
#7  0x807af3b in pcap_loop ()
#8  0x804e9f8 in InterfaceThread (arg=0x0) at snort.c:1441
#9  0x804b88f in main (argc=17, argv=0xbffff69c) at snort.c:445
#10 0x401e5b65 in __libc_start_main (main=0x804b238 <main>, argc=17, 
    ubp_av=0xbffff69c, init=0x804a2d0 <_init>, fini=0x8085c3c <_fini>, 
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffff694)
    at ../sysdeps/generic/libc-start.c:111

Here is where we are:

1993            return;
1994        }
1995
1996        while(idx != NULL)
1997        {
1998*           stream_offset = idx->seq_num - s->base_seq;
1999
2000            if(stream_offset + idx->payload_size <= stream_size)
2001            {
2002                memcpy(stream_pkt->data+stream_offset, idx->payload, 


And, the value of idx is 0x01.
(gdb) print idx
$1 = (StreamPacketData *) 0x1

Build Packet sets idx to s->data, which is:

(gdb) print s->data
$1 = (StreamPacketData *) 0x8580cb0

I didn't see any statement from the beginning to line 1998 that would have
reset idx.

However, the code iterates through a linked list by setting idx to
idx->next.  So, maybe idx->next got clobbered.  According to the code,
all idx structures are allocated with SaveAlloc which uses calloc.

I wonder if it is safe to call cleanup code in stream4, especially if the
SIGTERM yanked the program out of some linked list manipulation in stream4
itself?

Any ideas?

Thanks,

Phil



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: