On 2007/04/07 00:55, Soner Tari wrote: > Since I felt that this is a very dumb thing to do (and just a work > around), I suspected the type of s.
I think it's incidentally fixing things the wrong way. in PrintIPPkt(), a bpf_timeval structure (whose members are unsigned int [32-bit on both i386 and amd64]) is passed to ts_print() which expects a timeval (not bpf_timeval) structure (whose members are longs [32-bit on i386, 64-bit on amd64]). > Could somebody explain how this is possible? On amd64 what is it that's > different from i386 and can cause a problem like this? OpenBSD/i386 is ILP32 (int, long and pointers are all 32-bit). OpenBSD/amd64 is LP64 (int is 32-bit, long and pointers are 64-bit). i.e. on i386, long and int are the same size, so timeval and bpf_timeval are equivalent. On amd64, they aren't. > And what is the correct way of fixing it? Not sure, my C is pretty much read-only still (I am learning to use gdb so this was a little exercise for me) - I would guess convert ts_print to use bpf_timeval, but note that gettimeofday _does_ return timeval (long not uint) so the if(!tvp) would need some change (though I'm not sure if it's ever called, I didn't see it in my pretty limited testing; I don't know snort all that well though, as I mentioned offlist this isn't the first time I saw it break on !i386) Gotta love the comment: "Oh yeah, I ripped this code off from TCPdump, props to those guys". One for theinquirer, no doubt...
