Snort mailing list archives

Re: possible segfault on snort-2.9.x.x

From: "Nilesh K. Patel via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 6 Sep 2018 11:49:00 +0000

Hi Sunirmal,

I don’t have  backtrace right now, But I can explain the scenario.
Consider snort have timed out tcp session of http, Now if snort get non http session then it will reach upto 
StatelessSessionInspection function and as it is not a http session hence InitServerConf doesn’t set server_conf or 
client_conf but return success. So the session pointer has server_conf and client_conf value NULL.

Now on “checkCacheFlowTimeout”, if we got older timed out http session then snort try to flush queued packets but at 
this time session contains null values in server_conf and client_conf(remember session pointer points to static 
variable).

You need to fix InitServerConf function return value also. Hope this helps.

Regards,
Nilesh

From: Sunirmal Mukherjee (sunimukh) [mailto:sunimukh () cisco com]
Sent: Wednesday, September 5, 2018 12:44 PM
To: Nilesh K. Patel <Nilesh.k.Patel () Sophos com>
Cc: snort_india_dev(mailer list) <snort_india_dev () cisco com>; snort-devel mailinglist <snort-devel () lists snort 
org>
Subject: Re: possible segfault on snort-2.9.x.x

Hi Nilesh,

Can you be more specific on the flow from  “checkCacheFlowTimeout” on how exactly server_conf could be NULL?

Thanks & Regards,
Sunirmal


From: Lokesh Bevinamarad (lbevinam)
Sent: Thursday, August 16, 2018 7:53 PM
To: Nilesh K. Patel <Nilesh.k.Patel () Sophos com<mailto:Nilesh.k.Patel () Sophos com>>
Cc: snort_india_dev(mailer list) <snort_india_dev () cisco com<mailto:snort_india_dev () cisco com>>; snort-devel 
mailinglist <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Subject: RE: possible segfault on snort-2.9.x.x

Thanks Nilesh for pointing this out. We will take a look

Thanks
-Lokesh

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> On Behalf Of 
Nilesh K. Patel via Snort-devel
Sent: Thursday, August 16, 2018 7:00 PM
To: snort-devel () lists snort org<mailto:snort-devel () lists snort org>
Subject: [SUSPECTED SPAM] [Snort-devel] possible segfault on snort-2.9.x.x

Discover possible segfault in http pre-processor. Please consider below patch to resolve.

--- a/src/preprocessors/HttpInspect/include/hi_eo_log.h
+++ b/src/preprocessors/HttpInspect/include/hi_eo_log.h
@@ -30,7 +30,7 @@
static inline int hi_eo_generate_event(HI_SESSION *Session, int iAlert)
{
     if(iAlert && !(Session->norm_flags & HI_BODY) &&
-       !Session->server_conf->no_alerts)
+       Session->server_conf && !Session->server_conf->no_alerts)
     {
         return HI_BOOL_TRUE;
     }



Flow from “checkCacheFlowTimeout” function, there is a chance that server_conf is null as Session pointer is pointing 
to static variable and current processing packet is non http.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

possible segfault on snort-2.9.x.x Nilesh K. Patel via Snort-devel (Aug 16)
- Re: possible segfault on snort-2.9.x.x Lokesh Bevinamarad (lbevinam) via Snort-devel (Aug 16)
  - Message not available
    - Message not available
    - Message not available
    - Re: possible segfault on snort-2.9.x.x Nilesh K. Patel via Snort-devel (Sep 06)