Snort mailing list archives

Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta

From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Thu, 10 Sep 2015 20:54:59 +0000

Hello Bill,

  Thanks for the Snort 2.9.8.0 Beta patch.  I'll make sure that it gets into our internal Snort bug/enhancement 
tracking system (along with the proper attribution).

    Ed Borgoyn
    Cisco Snort Development Team


From: Bill Parker <wp02855 () gmail com<mailto:wp02855 () gmail com>>
Date: Thursday, September 10, 2015 at 4:43 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Improvement to Unified2File.c in Snort-2.9.8.0 beta

Hello All,

    In reviewing code in directory 'tools/u2streamer', file
'Unified2File.c', I ran across the comment below:

    /* XXX we should check that we are in the HEADER_READY state */

The patch file below adds the check requested, and additionally checks
a call to lseek() further down in the code which is not checked
for a return value of < 0, indicating error:

=======================================================================

--- Unified2File.c.orig 2015-09-10 09:36:35.103000000 -0700
+++ Unified2File.c      2015-09-10 09:58:34.475000000 -0700
@@ -108,15 +108,19 @@
     if(!u2_file->u2_record)
     {
         /* XXX we should check that we are in the HEADER_READY state */
-        if(!(u2_file->u2_record = (Unified2Record *)calloc(1,
-                        sizeof(Unified2Record))))
-        {
-            fprintf(stderr, "Out of memory (wanted %zu bytes)",
-                    sizeof(Unified2Record));
-            return SF_ENOMEM;
-        }
-        u2_file->read_offset = 0;
-        u2_file->read_status = U2FILE_STATUS_HEADER_READY;
+       if(u2_file->read_status == U2FILE_STATUS_HEADER_READY)
+       {
+           u2_file->u2_record = (Unified2Record *) calloc(1, sizeof(Unified2Record));
+
+           if(!u2_file->u2_record)
+           {
+               fprintf(stderr, "Out of memory (wanted %zu bytes)",
+                       sizeof(Unified2Record));
+               return SF_ENOMEM;
+           }
+           u2_file->read_offset = 0;
+           u2_file->read_status = U2FILE_STATUS_HEADER_READY;
+       }
     }

     if(u2_file->read_status == U2FILE_STATUS_HEADER_READY
@@ -176,6 +180,13 @@
         {
             /* Seek back to where we started, in case we want to try again */
             off_t rval = lseek(u2_file->fd, (0 - bytes_read), SEEK_CUR);
+           if (rval == -1) {
+               fprintf(stderr, "Error on Seek backwards...\n");
+               u2_file->read_errno = errno;
+               u2_file->read_status = U2FILE_STATUS_NOT_READY;
+               return SF_ESEEK;
+           }
+
             fprintf(stderr, "Seek backwards %zu bytes, seek returns %ld", bytes_read, rval);

             error_count++;

=======================================================================

The patch file below adds a new code for when seek()/lseek()/fseek()
returns a error value:

--- sf_error.h.orig     2015-09-10 10:12:36.391000000 -0700
+++ sf_error.h  2015-09-10 10:13:16.686000000 -0700
@@ -64,6 +64,7 @@
 #define SF_EUSER_LIMIT_REACHED  56  /* Couldn't create user - license limit reached*/
 #define SF_EDELETE          57  /* Error in deleting file or entry in memory */
 #define SF_EMEM             58  /* Error in manipulating memory */
+#define SF_ESEEK           70  /* Seek error (file i/o) */
 #define SF_NITRO_DUPLICATE  114 /* duplicate key */

 /**

=======================================================================

The patch file below adds a new descriptive string for the matching
value in sf_error.h:

--- sf_error.c.orig     2015-09-10 10:19:08.505000000 -0700
+++ sf_error.c  2015-09-10 10:20:13.149000000 -0700
@@ -64,6 +64,7 @@
     "Couldn't create user - license limit reached", // 56 - SF_EUSER_LIMIT_REACHED
     "Error in deleting file or entry in memory",  // 57 - SF_EDELETE
     "Error manipulating memory"  // 58 - SF_EMEM
+    "Seek error"    // 70 - SF_ESEEK
 };

 #define SF_MAX_ERRNUM   (sizeof(SF_errstrings)/sizeof(SF_errstrings[0]))

=======================================================================

I am attaching the patch files to this bug report...

Questions, Comments, Suggestions, Complaints? :)

Bill Parker (wp02855 at gmail dot com) <m00000000!>

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Improvement to Unified2File.c in Snort-2.9.8.0 beta Bill Parker (Sep 10)
- Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta Ed Borgoyn (eborgoyn) (Sep 10)
- Re: Improvement to Unified2File.c in Snort-2.9.8.0 beta Costas Kleopa (ckleopa) (Sep 10)