Snort mailing list archives
More spp_arpspoof crashing on solaris 2.6
From: "Bill Marquette" <wlmarque () hewitt com>
Date: Tue, 10 Jul 2001 12:45:21 -0500
I've seen this before on Solaris...mac addresses don't seem to be byte aligned properly. Attached is a diff that appears to fix the core I had (it's been running for over 2 minutes now where it died in under 5 seconds previously). --Bill *** spp_arpspoof.c Tue Jul 10 12:54:51 2001 --- spp_arpspoof.c.orig Tue Jul 10 12:54:02 2001 *************** *** 195,201 **** Event event; char logMessage[180]; IPMacEntry *ipme; ! u_int8_t addr[6]; if(p && (p->eh != NULL && p->ah != NULL)) { --- 195,201 ---- Event event; char logMessage[180]; IPMacEntry *ipme; ! u_int32_t *addr; if(p && (p->eh != NULL && p->ah != NULL)) { *************** *** 249,255 **** break; } /* LookupIPMacEntryByIP() is too slow, will be fixed later */ ! bcopy((void *)&p->ah->arp_spa, (void *)addr, sizeof(u_int8_t) * 6); if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL) {((ipme #ifdef DEBUG --- 249,255 ---- break; } /* LookupIPMacEntryByIP() is too slow, will be fixed later */ ! addr = (u_int32_t *)&p->ah->arp_spa; if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL) {((ipme #ifdef DEBUG ------------------------ Core was generated by `/apps/snort/current/bin/snort -o -c /apps/snort/current/etc/snort.conf -i le0'. Program terminated with signal 10, Bus Error. Reading symbols from /usr/lib/libm.so.1...done. Reading symbols from /usr/lib/libsocket.so.1...done. Reading symbols from /usr/lib/libnsl.so.1...done. Reading symbols from /usr/lib/libc.so.1...done. Reading symbols from /usr/lib/libdl.so.1...done. Reading symbols from /usr/lib/libmp.so.2...done. Reading symbols from /usr/lib/nss_files.so.1...done. #0 0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253 253 if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL) (gdb) bt #0 0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253 #1 0x2be18 in Preprocess (p=0xeffff3c8) at rules.c:3427 #2 0x1fee8 in ProcessPacket (user=0x0, pkthdr=0xbc800, pkt=0xc379e "ÿÿÿÿÿÿ") at snort.c:512 #3 0x52ba8 in pcap_read () #4 0x537a8 in pcap_loop () #5 0x214f4 in InterfaceThread (arg=0xbc838) at snort.c:1441 #6 0x1fd84 in main (argc=772152, argv=0xeffffac4) at snort.c:445 (gdb) p ipme $1 = (IPMacEntry *) 0x82c00 (gdb) p ipmel $2 = (IPMacEntryList *) 0xf2540 (gdb) p p $3 = (Packet *) 0xeffff3c8 (gdb) p *p $4 = {pkth = 0xeffff8b8, pkt = 0xc379e "ÿÿÿÿÿÿ", fddihdr = 0x0, fddisaps = 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, eh = 0xc379e, vh = 0x0, ehllc = 0x0, ehllcother = 0x0, ah = 0xc37ac, iph = 0x0, orig_iph = 0x0, ip_options_len = 0, ip_options_data = 0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, data = 0x0, dsize = 0, frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 0, dp = 0, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0}, ssnptr = 0x0, ip_options = {{ code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 0, wire_packet = 0 '\000'} (gdb) p *p->ah $5 = {ea_hdr = {ar_hrd = 1, ar_pro = 2048, ar_hln = 6 '\006', ar_pln = 4 '\004', ar_op = 1}, arp_sha = "\000\000¢Ë)Ù", arp_spa = "\n\024\017þ", arp_tha = "ÿÿÿÿÿÿ", arp_tpa = "\n\024\013O"} _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More spp_arpspoof crashing on solaris 2.6 Bill Marquette (Jul 10)
- Re: More spp_arpspoof crashing on solaris 2.6 Fyodor (Jul 10)