Re: Buffer too small for packet.dll? (was: Error initializing NIC)

["Chris Reid" <Chris.Reid () CodeCraftConsultants com>]

Hi all,

Last night I did some poking around to see if I could find the source of the
problem.  Yesterday John Goggan had sent me some good information to help
track it down the cause.

Basically, the CVS source code for Snort comes with an older version of the
WinPcap library (libpcap.lib).  This is the same version which was provided
in the port of Snort 1.7 by Michael Davis about a year ago.  The function
pcap_lookupdev() calls PacketGetAdapterNames(), passing a buffer and length
as parameters (currently 8196 in version 2.3).  I don't have the older
version of the WinPcap source code, so I can't make a comparison between the
two.  But an educated guess is that the older version is calling
PacketGetAdapterNames() with a buffer of 1024 bytes.

I performed some preliminary tests last night by replacing the Snort 1.8
copies of libpcap.lib and Packet.lib with ones from the 2.3 distribution of
WinPcap, and then recompiling.  All preliminary tests seemed successful.
However, I don't have the environment to test the buffer overflowing
condition.

Can anybody provide feedback on whether compiling with the new libpcap.lib
and Packet.lib prevent the overflow?  I'm attaching them to this message.
Thanks.

Chris Reid



----- Original Message -----
From: "Reinhard Doberstein" <r.doberstein () typoart de>
To: <snort-users () lists sourceforge net>
Sent: Thursday, April 25, 2002 4:00 AM
Subject: RE: [Snort-users] Buffer too small for packet.dll? (was: Error
initializing NIC)


> Hi John,
>
> sounds very interesting.
> Btw. there is a Bugreport about this, ist Number 543346
[http://sourceforge.net/tracker/index.php?func=detail&aid=543346&group_id=33
> 57&atid=103357].
>
> By
> Reinhard
>
> --
> Reinhard Doberstein
> mailto:r.doberstein () gmx de http://www.doberstein.com
>
>
>
> > -----Original Message-----
> > From: John Goggan [mailto:jgoggan () dcg com]
> > Sent: Thursday, April 25, 2002 7:07 AM
> > To: snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Buffer too small for packet.dll?
> > (was: Error
> > initializing NIC)
> >
> >
> > Reinhard Doberstein wrote:
> >
> > > With "snort -W" i got:
> > >
> > > -*> Snort! <*-
> > > Version 1.8-WIN32 (Build 103)
> > > By Martin Roesch (<EMAIL: PROTECTED>, http://www.snort.org)
> > > 1.7-WIN32 Port By Michael Davis (<EMAIL: PROTECTED>,
> > >  http://www.datanerds.net/~mike)
> > > 1.8-WIN32 Port By Chris Reid (<EMAIL: PROTECTED>)
> > >           (based on code from 1.7 port)
> > >
> > > Interface       Device          Description
> > > -------------------------------------------
> > > 1
> > >
> > > .................................................................
> > >
> > > so i got nothing by Device or Description. And that happend on all
> > > machines. I think this is the problem.
> >
> > I am having this same problem on 2 out of 3 of my Win2000
> > machines.  After
> > looking over the sourcecode for a while, I've discovered that
> > it is some type
> > of problem with the length of BufferSize passed to
> > PacketGetAdapterNames, I
> > believe.
> >
> > Note that I'm brand-new to the Win32 version of snort as of a
> > few hours ago,
> > so please excuse any ignorance...
> >
> > Basically, if you drop in a debug (with _DEBUG_TO_FILE)
> > version of packet.dll,
> > you will get output similar to this when doing a "snort -W" to display
> > interfaces (when I get the empty interface list as shown above):
> >
> > ************Packet32: DllMain************
> > PacketGetAdapterNames: BufferSize=1024
> > Need 1246 bytes for the names
> > PacketGetAdapterNames: GlobalAlloc Failed
> >
> > As you can see, the BufferSize is 1024, but I need 1246 bytes for the
> > interface list.  Therefore, things fail...
> >
> > The question is -- why don't I have a big enough buffer?  :)
> > I don't see
> > where this is set at all with the Packet.dll version of
> > things.  If I look at
> > the Wpcap.dll code, I see that a buffer of size 8192 is set
> > and passed into
> > PacketGetAdapterNames (from within pcap_lookupdev).  This is
> > why everything
> > works fine when WinDump is used to show the interfaces --
> > since WinDump
> > appears to use the Wpcap.dll, correct?
> >
> > So -- when packet.dll is used -- what exactly calls
> > PacketGetAdapterNames?  I
> > don't really understand how packet.dll is used yet -- so
> > please excuse my
> > ignorance there.  But, it basically looks like, for
> > packet.dll, the buffer
> > size for whatever calls PacketGetAdapterNames is simply much
> > too small (1024)
> > for some Win2000 boxes.
> >
> > Can anyone fill me in if I'm missing something?  Or, if
> > that's it, can someone
> > tell me where to adjust that buffer size for apps using packet.dll?
> >
> > Thanks!
> >
> >  - John Goggan...
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: winpcap_23_libraries.zip
Description: