Snort mailing list archives
Re: possible segfault on snort-2.9.x.x
From: "Nilesh K. Patel via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 6 Sep 2018 11:49:00 +0000
Hi Sunirmal, I don’t have backtrace right now, But I can explain the scenario. Consider snort have timed out tcp session of http, Now if snort get non http session then it will reach upto StatelessSessionInspection function and as it is not a http session hence InitServerConf doesn’t set server_conf or client_conf but return success. So the session pointer has server_conf and client_conf value NULL. Now on “checkCacheFlowTimeout”, if we got older timed out http session then snort try to flush queued packets but at this time session contains null values in server_conf and client_conf(remember session pointer points to static variable). You need to fix InitServerConf function return value also. Hope this helps. Regards, Nilesh From: Sunirmal Mukherjee (sunimukh) [mailto:sunimukh () cisco com] Sent: Wednesday, September 5, 2018 12:44 PM To: Nilesh K. Patel <Nilesh.k.Patel () Sophos com> Cc: snort_india_dev(mailer list) <snort_india_dev () cisco com>; snort-devel mailinglist <snort-devel () lists snort org> Subject: Re: possible segfault on snort-2.9.x.x Hi Nilesh, Can you be more specific on the flow from “checkCacheFlowTimeout” on how exactly server_conf could be NULL? Thanks & Regards, Sunirmal From: Lokesh Bevinamarad (lbevinam) Sent: Thursday, August 16, 2018 7:53 PM To: Nilesh K. Patel <Nilesh.k.Patel () Sophos com<mailto:Nilesh.k.Patel () Sophos com>> Cc: snort_india_dev(mailer list) <snort_india_dev () cisco com<mailto:snort_india_dev () cisco com>>; snort-devel mailinglist <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: RE: possible segfault on snort-2.9.x.x Thanks Nilesh for pointing this out. We will take a look Thanks -Lokesh From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> On Behalf Of Nilesh K. Patel via Snort-devel Sent: Thursday, August 16, 2018 7:00 PM To: snort-devel () lists snort org<mailto:snort-devel () lists snort org> Subject: [SUSPECTED SPAM] [Snort-devel] possible segfault on snort-2.9.x.x Discover possible segfault in http pre-processor. Please consider below patch to resolve. --- a/src/preprocessors/HttpInspect/include/hi_eo_log.h +++ b/src/preprocessors/HttpInspect/include/hi_eo_log.h @@ -30,7 +30,7 @@ static inline int hi_eo_generate_event(HI_SESSION *Session, int iAlert) { if(iAlert && !(Session->norm_flags & HI_BODY) && - !Session->server_conf->no_alerts) + Session->server_conf && !Session->server_conf->no_alerts) { return HI_BOOL_TRUE; } Flow from “checkCacheFlowTimeout” function, there is a chance that server_conf is null as Session pointer is pointing to static variable and current processing packet is non http.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- possible segfault on snort-2.9.x.x Nilesh K. Patel via Snort-devel (Aug 16)
- Re: possible segfault on snort-2.9.x.x Lokesh Bevinamarad (lbevinam) via Snort-devel (Aug 16)
- Message not available
- Message not available
- Message not available
- Re: possible segfault on snort-2.9.x.x Nilesh K. Patel via Snort-devel (Sep 06)
- Message not available
- Re: possible segfault on snort-2.9.x.x Lokesh Bevinamarad (lbevinam) via Snort-devel (Aug 16)