Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.7.5. bug in Unix Socket plugin on x64 platform

From: Hui cao <huica () cisco com>
Date: Mon, 10 Aug 2015 15:14:10 -0400
Hi Kiryukhin,

Thanks for reporting this issue. We will fix this in the future release.

Best,
Hui.

On 08/06/2015 08:58 AM, Kiryukhin Andrey wrote:

Hello.
Seems some bug in snort unix socket plugin on x64 platform.

I have snort 2.9.7.5 and daq-2.0.6  on xubuntu 14.04 x64
In file "spo_alert_unixsock.c" there is function AlertUnixSock(Packet *p, const char *msg, void *arg, Event *event) in which: 

    static Alertpkt alertpkt;
    .............
    memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
    sizeof(alertpkt.pkth));
    .............


where

    sizeof(alertpkt.pkth) = 16 byte


if we look at p->pkth :

    typedef struct _daq_pkthdr
    {
        struct timeval ts;      /* Timestamp */           on x64
    platform - 16 byte
        .......


if we look at alertpkt.pkth

    typedef struct _Alertpkt
    {
        ..........
        struct pcap_pkthdr32 pkth;     whole structure 16 byte!!
        ........


where

    struct pcap_pkthdr32
    {
        struct sf_timeval32 ts;   /* packet timestamp */    8 byte !!!!
        uint32_t caplen;          /* packet capture length */
        uint32_t len;             /* packet "real" length */
    };
And so, we try to copy 16 byte from p->pkth to alertpkt.pkth , but first 16 byte in p->pkth is timeval, and all fields in 
alertpkt.pkth filled with one field timeval from p->pkth.
In other words, size of timeval from p->pkth != size of sf_timeval32 from alertpkt.pkth 

Some fix for this bug:

        /* instead
memmove( (void *)&alertpkt.pkth, (const void *)p->pkth, sizeof(alertpkt.pkth)); 

            do :
        */

        alertpkt.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
        alertpkt.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
        alertpkt.pkth.caplen = p->pkth->caplen;
        alertpkt.pkth.len = p->pkth->pktlen;











------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: