Re: Snort 2.9.7.0 enters into infinity loop getApplicationData

[Hui cao <huica () cisco com>]

Thanks for Jul debugging this issue.

First of all, this issue won't happen on the snort code we released.

It is introduced by customized preprocessors that access application 
data while releasing. I have provided a patch and fixed this issue for 
the user.

Best,
Hui.
On 11/24/2014 09:25 AM, Hui Cao (huica) wrote:
> Hi Jul,
>
> Thanks for reporting this. I will take  a look at this. Can you provide
> the snort configuration you are using?
>
> Best,
> Hui.
>
> On 11/24/14, 5:33 AM, "souber () interia pl" <souber () interia pl> wrote:
>
> > below stack could be helpful
> >
> > (gdb) bt
> > #0  getApplicationData (scbptr=0x7fffc4d81600, protocol=30) at
> > spp_session.c:2741
> > #1  0x00000000004e467d in get_file_session (ssnptr=<optimized out>) at
> > file_service.c:237
> > #2  get_main_file_context (ssnptr=<optimized out>) at file_service.c:253
> > #3  get_file_processed_size (ssnptr=<optimized out>) at file_service.c:868
> > #4  get_file_position (pkt=<optimized out>) at file_service.c:1028
> > #5  get_file_position (pkt=<optimized out>) at file_service.c:1015
> > #6  0x000000000048688e in SnortHttpInspect (GlobalConf=0x16cb410,
> > p=0x196f6d0) at snort_httpinspect.c:4376
> > #7  0x00000000004805c9 in HttpInspect (p=<optimized out>,
> > context=<optimized out>) at spp_httpinspect.c:211
> > #8  0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
> > policy_id=<optimized out>, p=0x196f6d0) at detect.c:136
> > #9  Preprocess (p=0x196f6d0) at detect.c:234
> > #10 0x00000000004b344f in _flush_to_seq (st=0x7fffeaf4ab50,
> > bytes=<optimized out>, p=0xe91c60, dir=64, dp=<error reading variable:
> > Unhandled dwarf expression opcode 0xfa>,
> >     sp=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
> > dip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
> >     sip=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
> > tcpssn=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
> > at snort_stream_tcp.c:4336
> > #11 0x00000000004b9951 in StreamFlushTalker (p=p@entry=0xe91c60,
> > scb=<optimized out>) at snort_stream_tcp.c:4883
> > #12 0x0000000000490838 in StreamResponseFlushStream (p=0xe91c60) at
> > spp_stream6.c:913
> > #13 StreamResponseFlushStream (p=0xe91c60) at spp_stream6.c:906
> > #14 0x0000000000492374 in freeSessionApplicationData
> > (session=0x7fffc4d81600) at spp_session.c:1756
> > #15 0x00000000004be476 in ProcessTcp (scb=scb@entry=0x7fffc4d81600,
> > p=p@entry=0xe91c60, tdb=tdb@entry=0x7fffffffdc80,
> > s5TcpPolicy=s5TcpPolicy@entry=0x7fffe62b7010) at snort_stream_tcp.c:8629
> > #16 0x00000000004c0183 in StreamProcessTcp (p=p@entry=0xe91c60,
> > scb=scb@entry=0x7fffc4d81600, s5TcpPolicy=0x7fffe62b7010,
> > skey=skey@entry=0x7fffffffdd10) at snort_stream_tcp.c:5639
> > #17 0x000000000049016a in StreamProcess (p=0xe91c60, context=<optimized
> > out>) at spp_stream6.c:751
> > #18 0x000000000043d69e in DispatchPreprocessors (policy=<optimized out>,
> > policy_id=<optimized out>, p=0xe91c60) at detect.c:136
> > #19 Preprocess (p=p@entry=0xe91c60) at detect.c:234
> > #20 0x00000000004317f8 in ProcessPacket (p=p@entry=0xe91c60,
> > pkthdr=pkthdr@entry=0x7fffffffde20, pkt=pkt@entry=0x7fffd0695676 "\252",
> > ft=ft@entry=0x0) at snort.c:1873
> > #21 0x0000000000433c20 in PacketCallback (user=<optimized out>,
> > pkthdr=0x7fffffffde20, pkt=0x7fffd0695676 "\252") at snort.c:1717
> > #22 0x00000000004efef5 in pcap_process_loop ()
> > #23 0x00007ffff7fbdfbe in ?? () from
> > /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
> > #24 0x00000000004f038d in pcap_daq_acquire ()
> > #25 0x000000000045261c in DAQ_Acquire (max=max@entry=0,
> > callback=callback@entry=0x433a80 <PacketCallback>, user=user@entry=0x0)
> > at sfdaq.c:543
> > #26 0x0000000000434d04 in PacketLoop () at snort.c:3268
> > #27 SnortMain (argc=11, argv=<optimized out>) at snort.c:920
> > #28 0x00007ffff6709ead in __libc_start_main () from
> > /lib/x86_64-linux-gnu/libc.so.6
> > #29 0x0000000000405aad in _start ()
> >
> >
> > > Hello,
> > > I have a problem with newest version of snort :( For some reason main
> > > process enters into infinity loop in getApplicationData (spp_session.c).
> > > I cannot determine how it's possible :(
> > >
> > > Facts:
> > > 1. appData is the same with appData->next
> > > 2. appData->protocol is 5 (PP_HTTINSPECT)
> > > 3. protocol variable in getApplicaionData is 30 (PP_FILE)
> > > 4. it's not only one loop, after set NULL in next snort stack in
> > > another endless loop
> > >
> > > Any help? Any idea?
> > > Cheers,
> > > Jul.
> > >
> > >
> > > -------------------------------------------------------------------------
> > > -----
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App Integration &
> > > more
> > > Get technology previously reserved for billion-dollar corporations, FREE
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clk
> > > trk
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > Archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> > --------------------------------------------------------------------------
> > ----
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clkt
> > rk
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!