Re: snort 1.8.4b1 dumping core

[Fyodor <fygrave () tigerteam net>]

> (gdb) bt
> #0  pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address 0xc out of bounds>)
>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
> #1  0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0, user=0x0)
>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79

That's very interesting. Pcap_t struct ptr which we pass to pcap_loop is
a meaningful pointer but pcap_read already has it set to NULL. Very
likely something messy has happened. (also user ptr got overwritten,
that normally shouldn't happen). 
Strange that it didn't coredump somewhere at the beginning of
pcap_read():

pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
    int cc;
    int n = 0;
    register u_char *bp, *ep;

 again:
    cc = p->cc;
    if (p->cc == 0) {
        cc = read(p->fd, (char *)p->buffer, p->bufsize);
        if (cc < 0) {
            ...

i.g. it assumes p to be a valid ptr.

> 121                     caplen = bhp->bh_caplen;

probably fails here:
....
        bp = p->buffer;
    } else
        bp = p->bp;
    ....
#define bhp ((struct bpf_hdr *)bp)
        ...
        caplen = bhp->bh_caplen;

either p->buffer or p->bp is not valid ptr here.
> (gdb) print bp
> $1 = (u_char *) 0x169c084 <Address 0x169c084 out of bounds>


...

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users