Snort mailing list archives
Snort++: MIND THE STACK when mixing C and LUA!
From: Sancho Panza <sancho () posteo de>
Date: Thu, 16 Jul 2015 11:51:31 +0200
I discovered a bug in Snort++ that seems to be kind of systematic. What did I do? I tried to use the "lualert" LUA logger contained in the extras package. I configured Snort with on single rule to strike on every single IP packet. Next I started Snort with "-r 1million.dump" to process the traffic in a pcap file containing 1 million packets. After logging quite a couple of packets, Snort aborted with a Segmentation fault. Turns out this was due to a stack overflow caused by quite a careless use of lua_pcall(): In loggers/alert_luajit.cc, there is a call to lua_pcall(L, 0, 1, 0) which, as indicated by the third parameter, returns one result on the lua stack. Alas, this result is never removed from the stack by a subsequent call to lua_pop(L, 1). I also noticed that this function features two calls to MODULE_PROFILE_END() which in case of an error would BOTH be executed (which is probably wrong). Later I searched for lua_pcall() in the whole Snort++ sources and found mroe problems: helpers/chunk.cc: Line 101 has a call to lua_pcall(L, 0, 1, 0), also with one result returned on the stack. In fact, there is a subsequent call to lua_pop() at the end, but in between, there are quite a few return statements that can be reached before lua_pop() gets executed, leaving the stack in an unclean state. ips_options/ips_luajit.cc: Again, Line 201 has a call to lua_pcall(L, 0, 1, 0) with a subsequent call to lua_pop(), which won't be reached if lua_pcall() fails! main/shell.cc: Function run_config has a call to lua_pcall(L, 1, 1, 0) without a corresponding lua_pop() to remove the result from the stack. Regards, Sancho ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort++: MIND THE STACK when mixing C and LUA! Sancho Panza (Jul 16)
- Re: Snort++: MIND THE STACK when mixing C and LUA! Russ (Jul 16)