Snort mailing list archives
Re: Version 1.8-beta8 (Build 33)
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 03 Jul 2001 19:01:56 -0400
Good question. I reimplemented the storage data structures and algorithms to use the new ubi_SplayTree code over the weekend, so please try out build 37 and see if that works any better. :) -Marty Phil Wood wrote:
Folks, Have you that stand on the edge, seen a case where snort will segmentation fault upon receipt of a SIGTERM. In particular gdb shows: #0 0x8079683 in BuildPacket (s=0x8580c74, stream_size=4344, p=0xbfffef88) at spp_stream4.c:1998 #1 0x8079451 in FlushStream (s=0x8580c74, p=0xbfffef88) at spp_stream4.c:1924 #2 0x807815a in ReassembleStream4 (p=0xbfffef88) at spp_stream4.c:840 #3 0x805719a in Preprocess (p=0xbfffef88) at rules.c:3423 #4 0x804b9c3 in ProcessPacket (user=0x0, pkthdr=0xbffff458, pkt=0x403a9672 "") at snort.c:512 #5 0x8079f6f in packet_ring_recv () #6 0x807a2ae in pcap_read () #7 0x807af3b in pcap_loop () #8 0x804e9f8 in InterfaceThread (arg=0x0) at snort.c:1441 #9 0x804b88f in main (argc=17, argv=0xbffff69c) at snort.c:445 #10 0x401e5b65 in __libc_start_main (main=0x804b238 <main>, argc=17, ubp_av=0xbffff69c, init=0x804a2d0 <_init>, fini=0x8085c3c <_fini>, rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffff694) at ../sysdeps/generic/libc-start.c:111 Here is where we are: 1993 return; 1994 } 1995 1996 while(idx != NULL) 1997 { 1998* stream_offset = idx->seq_num - s->base_seq; 1999 2000 if(stream_offset + idx->payload_size <= stream_size) 2001 { 2002 memcpy(stream_pkt->data+stream_offset, idx->payload, And, the value of idx is 0x01. (gdb) print idx $1 = (StreamPacketData *) 0x1 Build Packet sets idx to s->data, which is: (gdb) print s->data $1 = (StreamPacketData *) 0x8580cb0 I didn't see any statement from the beginning to line 1998 that would have reset idx. However, the code iterates through a linked list by setting idx to idx->next. So, maybe idx->next got clobbered. According to the code, all idx structures are allocated with SaveAlloc which uses calloc. I wonder if it is safe to call cleanup code in stream4, especially if the SIGTERM yanked the program out of some linked list manipulation in stream4 itself? Any ideas? Thanks, Phil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Version 1.8-beta8 (Build 33) Phil Wood (Jul 03)
- Re: Version 1.8-beta8 (Build 33) Martin Roesch (Jul 03)