Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 2.9.7.5. bug in Unix Socket plugin on x64 platform

From: Kiryukhin Andrey <andrei_1980 () mail ru>
Date: Thu, 06 Aug 2015 15:58:08 +0300
Hello.
Seems some bug in snort unix socket plugin on x64 platform.

I have snort 2.9.7.5 and daq-2.0.6  on xubuntu 14.04 x64

In file "spo_alert_unixsock.c"   there is function AlertUnixSock(Packet
*p, const char *msg, void *arg, Event *event) in which:

    static Alertpkt alertpkt;
    .............
    memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
    sizeof(alertpkt.pkth));
    .............


where

    sizeof(alertpkt.pkth) = 16 byte


if we look at p->pkth :  

    typedef struct _daq_pkthdr
    {
        struct timeval ts;      /* Timestamp */           on x64
    platform - 16 byte
        .......


if we look at alertpkt.pkth

    typedef struct _Alertpkt
    {
        ..........
        struct pcap_pkthdr32 pkth;     whole structure 16 byte!!
        ........    


where

    struct pcap_pkthdr32
    {
        struct sf_timeval32 ts;   /* packet timestamp */    8 byte !!!!
        uint32_t caplen;          /* packet capture length */
        uint32_t len;             /* packet "real" length */
    };



And so, we try to copy 16 byte  from p->pkth to alertpkt.pkth , but
first 16 byte in p->pkth is timeval, and all fields in  
alertpkt.pkth filled with one field timeval from p->pkth. 

In other words,  size of  timeval from p->pkth  !=  size of 
sf_timeval32 from alertpkt.pkth 

Some fix for this bug:

        /* instead
   
            memmove( (void *)&alertpkt.pkth, (const void *)p->pkth,
sizeof(alertpkt.pkth));
       
            do :
        */

        alertpkt.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
        alertpkt.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
        alertpkt.pkth.caplen = p->pkth->caplen;
        alertpkt.pkth.len = p->pkth->pktlen;

       




  



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: