Snort mailing list archives

Previous By Date Next
Previous By Thread Next

2.9.2-rc segfaults

From: Jim Hranicky <jfh () ufl edu>
Date: Wed, 7 Dec 2011 10:45:17 -0500
Hey SF folks, I'm getting segfaults with 2.9.2-rc . I was using
the pfring daq, and I thought that might be the problem, though
now I'm getting segfaults with just standard snort & the pcap
daq. Fortunately, they're segfaulting in different places :-/ . 

Non-pf snort/pcap daq trace: 

    Core was generated by `/opt/local/bin/snort -D -i eth5 --daq-dir=/opt/local/lib/daq --daq pcap --daq-v'.
    Program terminated with signal 11, Segmentation fault.
    #0  0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, 
        inbuf_size=1365, 
        outbuf=0x7fffa2a9ba00 
"c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
 outbuf_size=65535, output_bytes=0x7fffa2a9b9fc, 
        trim_spaces=1, folded=0x0) at util_unfold.c:55
    55              if(((*cursor == ' ') || (*cursor == '\t')))
    (gdb) where
    #0  0x00000000004f6c02 in sf_unfold_header (inbuf=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, 
        inbuf_size=1365, 
        outbuf=0x7fffa2a9ba00 
"c\362pr\017\210\003\375Zn\320\340\256\030ڌ\217\030\335\323\036\300)\261ax;\260\261\344\377uVV;\377\230qA\373)*\v\230\240\203\312,G(\347q\336NJ\255H\004",
 outbuf_size=65535, output_bytes=0x7fffa2a9b9fc, 
        trim_spaces=1, folded=0x0) at util_unfold.c:55
    #1  0x00000000004cc16b in extract_http_transfer_encoding (Session=0x12bdac0, hsd=0x331dec0, 
        p=0x7ff69b0d6bfe <Address 0x7ff69b0d6bfe out of bounds>, 
        start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, 
        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, header_ptr=0x7fffa2aabb40, iInspectMode=2)
        at hi_server.c:570
    #2  0x00000000004cc514 in extractHttpRespHeaderFieldValues (ServerConf=0x2003eb0, 
        p=0x7ff69b0d6bfd <Address 0x7ff69b0d6bfd out of bounds>, 
        offset=0x7ff69b0d6bec <Address 0x7ff69b0d6bec out of bounds>, 
        start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, 
        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, header_ptr=0x7fffa2aabb40, 
        header_field_ptr=0x7fffa2aabac0, parse_cont_encoding=0, hsd=0x331dec0, Session=0x12bdac0) at hi_server.c:656
    #3  0x00000000004cc6ce in hi_server_extract_header (Session=0x12bdac0, ServerConf=0x2003eb0, 
        header_ptr=0x7fffa2aabb40, start=0x7ff69b0d66ab <Address 0x7ff69b0d66ab out of bounds>, 
        end=0x7ff69b0d6c00 <Address 0x7ff69b0d6c00 out of bounds>, parse_cont_encoding=0, hsd=0x331dec0)
        at hi_server.c:720
    #4  0x00000000004ce051 in HttpResponseInspection (Session=0x12bdac0, p=0x7fffa2aac050, 
        data=0x7ff69b0d669c <Address 0x7ff69b0d669c out of bounds>, dsize=1380, sd=0x331dec0) at hi_server.c:1476
    #5  0x00000000004ce729 in ServerInspection (Session=0x12bdac0, p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1690
    #6  0x00000000004ce79b in hi_server_inspection (S=0x12bdac0, p=0x7fffa2aac050, hsd=0x331dec0) at hi_server.c:1721
    #7  0x00000000004c4cf0 in hi_mi_mode_inspection (Session=0x12bdac0, iInspectMode=2, p=0x7fffa2aac050, hsd=0x331dec0)
        at hi_mi.c:98
    #8  0x00000000004a6898 in SnortHttpInspect (GlobalConf=0x1fe0940, p=0x7fffa2aac050) at snort_httpinspect.c:3507
    #9  0x000000000049f05e in HttpInspect (p=0x7fffa2aac050, context=0x0) at spp_httpinspect.c:212
    #10 0x0000000000444983 in Preprocess (p=0x7fffa2aac050) at detect.c:172
    #11 0x0000000000437066 in ProcessPacket (user=0x0, pkthdr=0x7fffa2aacca0, 
        pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>, ft=0x0) at snort.c:1576
    #12 0x0000000000436cc8 in PacketCallback (user=0x0, pkthdr=0x7fffa2aacca0, 
        pkt=0x7ff69b0d6666 <Address 0x7ff69b0d6666 out of bounds>) at snort.c:1486
    #13 0x0000000000513f55 in pcap_process_loop ()
    #14 0x00007ff6a045d7d5 in pcap_read_linux_mmap () from /opt/local/lib/libpcap.so.1
    #15 0x000000000051417f in pcap_daq_acquire ()
    #16 0x000000000045bfac in DAQ_Acquire (max=-1, callback=0x436af3 <PacketCallback>, user=0x0) at sfdaq.c:514
    #17 0x000000000043980b in PacketLoop () at snort.c:2899
    #18 0x0000000000435d2c in SnortMain (argc=17, argv=0x7fffa2aacf58) at snort.c:764
    #19 0x0000000000435c06 in main (argc=17, argv=0x7fffa2aacf58) at snort.c:687

Here's a traceback on the pfring daq: 

  #0  0x00000000004da6ca in TcpSessionCleanup (lwssn=0x2ae0ab0) at snort_stream5_tcp.c:4644
  #1  0x00000000004ec136 in DeleteLWSession (sessionCache=0x16c77f0, ssn=0x2ae0ab0,
      delete_reason=0x55b4d2 "memcap/stale") at snort_stream5_session.c:651
  #2  0x00000000004ec670 in PruneLWSessionCache (sessionCache=0x16c77f0, thetime=0, save_me=0x0, memCheck=0)
      at snort_stream5_session.c:868
  #3  0x00000000004ec892 in NewLWSession (sessionCache=0x16c77f0, p=0x7fffffffd400, key=0x7fffffffd290,
      policy=0x7ffff2e65010) at snort_stream5_session.c:931
  #4  0x00000000004dadc2 in Stream5ProcessTcp (p=0x7fffffffd400, lwssn=0x0, s5TcpPolicy=0x7ffff2e65010,
      skey=0x7fffffffd290) at snort_stream5_tcp.c:5070
  #5  0x00000000004b4906 in Stream5Process (p=0x7fffffffd400, context=0x0) at spp_stream5.c:1411
  #6  0x0000000000444993 in Preprocess (p=0x7fffffffd400) at detect.c:172
  #7  0x0000000000437076 in ProcessPacket (user=0x0, pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "", ft=0x0)
      at snort.c:1576
  #8  0x0000000000436cd8 in PacketCallback (user=0x0, pkthdr=0x7fffffffe070, pkt=0x7ffff183675b "") at snort.c:1486
  #9  0x00007ffff211c656 in pfring_daq_acquire (handle=0x286d360, cnt=-1, callback=0x436b03 <PacketCallback>,
      user=0x0) at daq_pfring.c:407
  #10 0x000000000045bfbc in DAQ_Acquire (max=-1, callback=0x436b03 <PacketCallback>, user=0x0) at sfdaq.c:514
  #11 0x000000000043981b in PacketLoop () at snort.c:2899
  #12 0x0000000000435d3c in SnortMain (argc=16, argv=0x7fffffffe398) at snort.c:764
  #13 0x0000000000435c16 in main (argc=16, argv=0x7fffffffe398) at
  snort.c:687

Here's a traceback on the pcap (linked against pfring) DAQ: 

  Core was generated by `/opt/pf/bin/snort -D -i eth5 --daq-dir=/opt/pf/lib/daq 
  --daq pcap --daq-var clu'.

  #0  0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at snort_stream5_tcp.c:4644
  4644                                p.tcph->th_sport, p.tcph->th_dport,
  (gdb) where
  #0  0x00000000004daf3a in TcpSessionCleanup (lwssn=0x341a9f0) at snort_stream5_tcp.c:4644
  #1  0x00000000004ec9a6 in DeleteLWSession (sessionCache=0x200ae80, ssn=0x341a9f0, 
      delete_reason=0x5763f2 "memcap/stale") at snort_stream5_session.c:651
  #2  0x00000000004ecee0 in PruneLWSessionCache (sessionCache=0x200ae80, thetime=0, save_me=0x0, memCheck=0)
      at snort_stream5_session.c:868
  #3  0x00000000004ed102 in NewLWSession (sessionCache=0x200ae80, p=0x7fffc43cea30, key=0x7fffc43ce8c0, 
      policy=0x7f14b62b1010) at snort_stream5_session.c:931
  #4  0x00000000004db632 in Stream5ProcessTcp (p=0x7fffc43cea30, lwssn=0x0, s5TcpPolicy=0x7f14b62b1010, 
      skey=0x7fffc43ce8c0) at snort_stream5_tcp.c:5070
  #5  0x00000000004b5176 in Stream5Process (p=0x7fffc43cea30, context=0x0) at spp_stream5.c:1411
  #6  0x0000000000445203 in Preprocess (p=0x7fffc43cea30) at detect.c:172
  #7  0x00000000004378e6 in ProcessPacket (user=0x0, pkthdr=0x7fffc43cf680, 
      pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>, ft=0x0) at snort.c:1576
  #8  0x0000000000437548 in PacketCallback (user=0x0, pkthdr=0x7fffc43cf680, 
      pkt=0x7f14b4aff3b8 <Address 0x7f14b4aff3b8 out of bounds>) at snort.c:1486
  #9  0x00000000005147b5 in pcap_process_loop (user=<value optimized out>, pkth=<value optimized out>, 
      data=<value optimized out>) at daq_pcap.c:357
  #10 0x00000000005177ba in pcap_read_linux ()
  #11 0x00000000005149bd in pcap_daq_acquire (handle=0x2c770b0, cnt=-1, callback=<value optimized out>, 
      user=<value optimized out>) at daq_pcap.c:375
  #12 0x000000000045c82c in DAQ_Acquire (max=-1, callback=0x437373 <PacketCallback>, user=0x0) at sfdaq.c:514
  #13 0x000000000043a08b in PacketLoop () at snort.c:2899
  #14 0x00000000004365ac in SnortMain (argc=17, argv=0x7fffc43cf9d8) at snort.c:764
  #15 0x0000000000436486 in main (argc=17, argv=0x7fffc43cf9d8) at snort.c:687

  (gdb) p p.tcph
  $1 = (const TCPHdr *) 0x0

I have cores and executables if anyone's interested. 

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: