Re: [BUG][Stream5]: SIGSEGV in Stream5 TCP, TcpSessionCleanup at snort_stream5_tcp.c:4624

[Russ Combs <rcombs () sourcefire com>]

OK, I was able to reproduce that.  It happens because the .dmp file has eth2
packets and the .cap file has linux cooked packets.  Snort switches
"grinders" (the root decoder) when the pcap is changed and will not segfault
if you use either --pcap-reset or --dirty-pig.  Absent one of those options,
stream5 blows up flushing at shutdown a packet captured in the first file by
trying to re-decode it using the grinder for the second file.

I'll file a bug for this.  The fix will probably be to force --pcap-reset
behavior when the grinder changes for a new pcap.

BTW, adding --enable-sourcefire makes no difference in this case (segfault
w/or w/o).  It is mostly just shorthand for a bunch of other enables, but it
does set a flag which is used conditionally in a few places.

Thanks for all your help getting to the bottom of this.
Russ

On Fri, Oct 7, 2011 at 8:46 PM, <Joshua.Kinard () us-cert gov> wrote:

> -----Original Message-----
> From: Russ Combs [mailto:rcombs () sourcefire com]
> Sent: Friday, October 07, 2011 8:29 AM
> Subject: Re: [Snort-devel] [BUG][Stream5]: SIGSEGV in Stream5 TCP,
> TcpSessionCleanup at snort_stream5_tcp.c:4624
>
> > > On Fri, Oct 7, 2011 at 7:20 AM, Russ Combs <rcombs () sourcefire com>
> wrote:
> > >      Hey Joshua,
> > >
> > >      Thanks for reporting this problem.  I am unable to reproduce it
> with my Ubuntu gcc 4.4.3.
> > No segfault with Fedora gcc 4.5.1 either.
> >
> >       Can you also send your ./configure and command lines?
> >
> > I'm configuring via snort.conf and running with snort -c test.conf -r
> 2009-04-21-07-47-35.dmp  -A cmg.
>
> Hi Russ,
>
> Minus --prefix and some of the --with-* overrides (because I am building
> this as an unprivileged user and have compiled the needed libraries in
> my home folder), this is my configure line:
>
> ./configure --enable-ipv6 --enable-zlib --enable-gre --enable-mpls
> --enable-decoder-preprocessor-rules --enable-pthread --enable-debug-msgs
> --enable-debug --enable-react --enable-flexresp3 --enable-normalizer
> --enable-perfprofiling
>
> My command line is this:
>
> snort -c local.rules -k none -A console --pcap-dir <dir>/ -q
>
> On a whim, I just tested using -r <pcap>, and that does not trigger the
> SIGSEGV.  It does happen if you use --pcap-dir and have the referenced
> PCAP file in the target directory PLUS this SCTP sample from WireShark's
> Sample Captures:
> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&targe
> t=sctp-addip.cap
>
> Also, using --enable-sourcefire causes this SIGSEGV to disappear.  What
> is that configure flag doing, exactly?
>
>
> Thanks!,
>
> --J
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!