Snort mailing list archives

Re: snort 1.8.4b1 dumping core

From: Kris Kennaway <kris () obsecurity org>
Date: Sun, 3 Feb 2002 22:19:31 -0800

On Mon, Feb 04, 2002 at 12:27:21AM -0500, Martin Roesch wrote:

Hi Kris,
     Does it core right away or does it take a while?


It takes a while..i.e. it seems to be certain traffic which causes it.

Can you try enabling DEBUG mode (see the BUGS file) and let it run through
that?  Run snort like this:

Snort [optons] > debug.file


I can try that.

You can also try running Snort from inside gdb and see if you can get better
information on the backtrace from that, something really weird is happening
here.


I rebuilt libc and libpcap with -ggdb and linked snort static; here's
the complete backtrace.

(gdb) bt
#0  pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address 0xc out of bounds>)
    at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
#1  0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0, user=0x0)
    at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
#2  0x804a181 in InterfaceThread (arg=0x0) at snort.c:1675
#3  0x80488a1 in main (argc=10, argv=0xbfbff7b8) at snort.c:478

(gdb) list /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
116              */
117     #define bhp ((struct bpf_hdr *)bp)
118             ep = bp + cc;
119             while (bp < ep) {
120                     register int caplen, hdrlen;
121                     caplen = bhp->bh_caplen;
122                     hdrlen = bhp->bh_hdrlen;
123                     /*
124                      * XXX A bpf_hdr matches a pcap_pkthdr.
125                      */

(gdb) print bp
$1 = (u_char *) 0x169c084 <Address 0x169c084 out of bounds>

(gdb) list /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
74                              /*
75                               * XXX keep reading until we get something
76                               * (or an error occurs)
77                               */
78                              do {
79                                      n = pcap_read(p, cnt, callback, user);
80                              } while (n == 0);
81                      }
82                      if (n <= 0)
83                              return (n);

Kris

Attachment: _bin
Description:

Current thread:

snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
- Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 02)
  - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
    - Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 02)
    - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 02)
    - Re: snort 1.8.4b1 dumping core Fyodor (Feb 02)
    - Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 03)
    - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 03)
    - Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 03)
    - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 03)
    - Re: snort 1.8.4b1 dumping core Fyodor (Feb 04)
    - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 15)
    - Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 15)
    - Re: snort 1.8.4b1 dumping core Kris Kennaway (Feb 15)
    - Re: snort 1.8.4b1 dumping core Martin Roesch (Feb 15)