Snort mailing list archives
Bus error on Solaris/Sparc with spo_database.c
From: Paul van Empelen <snort-users () kipzak net>
Date: Wed, 24 Dec 2003 18:21:02 +0100
Hiya,
I am trying to run Snort (with the Spade preprocessor) on a Solaris machine.
However, it crashes with a bus error after some type of alarms. Most easily
to reproduce is an nmap to the box, and the error that shows up from the Spade
preprocessor.
The bus error is in this part:
snprintf(query->val, MAX_QUERY_LENGTH,
"INSERT INTO "
"tcphdr (sid, cid, tcp_sport, tcp_dport, "
" tcp_seq, tcp_ack, tcp_off, tcp_res, "
" tcp_flags, tcp_win, tcp_csum, tcp_urp) "
"VALUES ('%u','%u','%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u')",
data->shared->sid,
data->shared->cid,
ntohs(p->tcph->th_sport),
ntohs(p->tcph->th_dport),
(u_long)ntohl(p->tcph->th_seq),
(u_long)ntohl(p->tcph->th_ack),
TCP_OFFSET(p->tcph),
TCP_X2(p->tcph),
p->tcph->th_flags,
ntohs(p->tcph->th_win),
ntohs(p->tcph->th_sum),
ntohs(p->tcph->th_urp));
To be more precise, it's the (u_long)ntohl(p->tcph->th_seq) and
(u_long)ntohl(p->tcph->th_ack) that cause the bus error. If I hard code a '0'
in the program, the bus error is gone (although some weird database errors show up:-))
I am not a programmer, and right now I am pretty much stuck here. Dunno how to fix
it. It looks like some kind of alignment error on a unsigned longint.
decode.h says:
u_int32_t th_seq; /* sequence number */
u_int32_t th_ack; /* acknowledgement number */
This looks like an u_long to me, but I am not too sure. Any ideas?
uname -a
SunOS trillian 5.9 Generic_112233-02 sun4u sparc SUNW,UltraSPARC-IIi-Engine
./snort -V
-*> Snort! <*- Version 2.0.6 (Build 100) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1398 snprintf(query->val, MAX_QUERY_LENGTH, (gdb) bt #0 0x46d68 in Database (p=0x4d57b0, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398 #1 0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248 #2 0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881 #3 0x65188 in HttpDecodeInit (args=0x4d6118 "") at spp_http_decode.c:178 #4 0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518 #5 0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812 #6 0x61edc in new_dll_double (val=0.77218389511151264) at spp_spade.c:6672 #7 0x3684c in CleanupProtoNames () at util.c:1057 #8 0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265 #9 0x74ff8 in pcap_read_dlpi () #10 0x76374 in pcap_loop () #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286 #12 0x30b30 in hex2s (val=5) at plugbase.c:1760 (gdb) p/x p->tcph->th_seq $1 = 0x8d2bd557 (gdb) p/x p->tcph->th_ack $2 = 0x8a15b285 1398 snprintf(query->val, MAX_QUERY_LENGTH, (gdb) bt #0 0x46d68 in Database (p=0x4d53e8, msg=0xffbff238 "Spade: Closed dest port used: local dest, syn: 0.8843", arg=0x26a2e0, event=0xffbff210) at spo_database.c:1398 #1 0x36bfc in SPAlloc (size=2530584, spmc=0xffbff238) at util.c:1248 #2 0x620f4 in event_recorder_recover (self=0xffbff238, ref=0xc7c00) at spp_spade.c:6881 #3 0x65188 in HttpDecodeInit (args=0x4d5d50 "") at spp_http_decode.c:178 #4 0x665c4 in ExpireConnections (scanList=0x29e4e8, watchPeriod=Cannot access memory at address 0x4000) at spp_portscan.c:518 #5 0x64648 in Frag2Defrag (p=0x26ad88) at spp_frag2.c:812 #6 0x61edc in new_dll_double (val=0.77464485168755515) at spp_spade.c:6672 #7 0x3684c in CleanupProtoNames () at util.c:1057 #8 0x30c3c in SnortMain (argc=627712, argv=0xffbff650) at snort.c:265 #9 0x74ff8 in pcap_read_dlpi () #10 0x76374 in pcap_loop () #11 0x322e0 in ParseCmdLine (argc=1703936, argv=0x1b0000) at snort.c:1286 #12 0x30b30 in hex2s (val=5) at plugbase.c:1760 (gdb) p/x p->tcph->th_seq $1 = 0xe2e96563 (gdb) p/x p->tcph->th_ack $2 = 0x8565987d (gdb) 1398 snprintf(query->val, MAX_QUERY_LENGTH, (gdb) bt #0 0x46d68 in Database (p=0x4d5618, msg=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", arg=0x26a2b0, event=0xffbff230) at spo_database.c:1398 #1 0x37308 in CallAlertPlugins (p=0x4d5618, message=0xffbff258 "Spade: Closed dest port used: local dest, syn: 1.0000", args=0x0, event=0xffbff230) at detect.c:276 #2 0x50cfc in SpadeReportAnom (context=0x0, rpt=0xc7c00) at spp_spade.c:634 #3 0x53d90 in canceller_status_report (context=0x26b7c8, rpt=0x4d5f80, status=PORT_LIKELYCLOSED) at spp_spade.c:1923 #4 0x551cc in packet_resp_canceller_new_time (self=0x2accc8, now=1072258950) at spp_spade.c:2421 #5 0x53250 in netspade_new_pkt (self=0x270248, pkt=0xffbff558) at spp_spade.c:1556 #6 0x50ae4 in PreprocSpade (p=0xffbff670) at spp_spade.c:571 #7 0x36f58 in Preprocess (p=0xffbff670) at detect.c:111 #8 0x31348 in ProcessPacket (user=0x0, pkthdr=0x0, pkt=0x1b0230 "") at snort.c:603 #9 0x74ff8 in pcap_read_dlpi () #10 0x76374 in pcap_loop () #11 0x329e8 in InterfaceThread (arg=0x1a0000) at snort.c:1533 #12 0x3123c in SnortMain (argc=1703936, argv=0xffbffc64) at snort.c:541 (gdb) p/x p->tcph->th_seq $1 = 0x8439366a (gdb) p/x p->tcph->th_ack $2 = 0x9195a616 (gdb) Regards, --Paul. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bus error on Solaris/Sparc with spo_database.c Paul van Empelen (Dec 30)