Snort mailing list archives
More spp_arpspoof crashing on solaris 2.6
From: "Bill Marquette" <wlmarque () hewitt com>
Date: Tue, 10 Jul 2001 12:45:21 -0500
I've seen this before on Solaris...mac addresses don't seem to be byte aligned
properly. Attached is a diff that appears to fix the core I had (it's been
running for over 2 minutes now where it died in under 5 seconds previously).
--Bill
*** spp_arpspoof.c Tue Jul 10 12:54:51 2001
--- spp_arpspoof.c.orig Tue Jul 10 12:54:02 2001
***************
*** 195,201 ****
Event event;
char logMessage[180];
IPMacEntry *ipme;
! u_int8_t addr[6];
if(p && (p->eh != NULL && p->ah != NULL))
{
--- 195,201 ----
Event event;
char logMessage[180];
IPMacEntry *ipme;
! u_int32_t *addr;
if(p && (p->eh != NULL && p->ah != NULL))
{
***************
*** 249,255 ****
break;
}
/* LookupIPMacEntryByIP() is too slow, will be fixed later */
! bcopy((void *)&p->ah->arp_spa, (void *)addr, sizeof(u_int8_t) *
6);
if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
{((ipme
#ifdef DEBUG
--- 249,255 ----
break;
}
/* LookupIPMacEntryByIP() is too slow, will be fixed later */
! addr = (u_int32_t *)&p->ah->arp_spa;
if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
{((ipme
#ifdef DEBUG
------------------------
Core was generated by `/apps/snort/current/bin/snort -o -c
/apps/snort/current/etc/snort.conf -i le0'.
Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0 0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253
253 if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
(gdb) bt
#0 0x526e8 in ARPspoofPreprocFunction (p=0xeffff3c8) at spp_arpspoof.c:253
#1 0x2be18 in Preprocess (p=0xeffff3c8) at rules.c:3427
#2 0x1fee8 in ProcessPacket (user=0x0, pkthdr=0xbc800, pkt=0xc379e "ÿÿÿÿÿÿ") at
snort.c:512
#3 0x52ba8 in pcap_read ()
#4 0x537a8 in pcap_loop ()
#5 0x214f4 in InterfaceThread (arg=0xbc838) at snort.c:1441
#6 0x1fd84 in main (argc=772152, argv=0xeffffac4) at snort.c:445
(gdb) p ipme
$1 = (IPMacEntry *) 0x82c00
(gdb) p ipmel
$2 = (IPMacEntryList *) 0xf2540
(gdb) p p
$3 = (Packet *) 0xeffff3c8
(gdb) p *p
$4 = {pkth = 0xeffff8b8, pkt = 0xc379e "ÿÿÿÿÿÿ", fddihdr = 0x0, fddisaps = 0x0,
fddisna = 0x0,
fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh =
0x0, eh = 0xc379e, vh = 0x0,
ehllc = 0x0, ehllcother = 0x0, ah = 0xc37ac, iph = 0x0, orig_iph = 0x0,
ip_options_len = 0,
ip_options_data = 0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0,
tcp_options_data = 0x0,
udph = 0x0, orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, data =
0x0, dsize = 0,
frag_flag = 0 '\000', frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0
'\000', sp = 0, dp = 0,
orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, length = 0}, ssnptr =
0x0, ip_options = {{
code = 0 '\000', len = 0, data = 0x0} <repeats 40 times>}, ip_option_count
= 0,
ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, data =
0x0} <repeats 40 times>},
tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
packet_flags = 0,
wire_packet = 0 '\000'}
(gdb) p *p->ah
$5 = {ea_hdr = {ar_hrd = 1, ar_pro = 2048, ar_hln = 6 '\006', ar_pln = 4 '\004',
ar_op = 1},
arp_sha = "\000\000¢Ë)Ù", arp_spa = "\n\024\017þ", arp_tha = "ÿÿÿÿÿÿ", arp_tpa
= "\n\024\013O"}
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More spp_arpspoof crashing on solaris 2.6 Bill Marquette (Jul 10)
- Re: More spp_arpspoof crashing on solaris 2.6 Fyodor (Jul 10)