Re: [tcpdump-workers] Core dump inside pcap optimizer. Snort 1.7 + libpcap-0.6.2

Mon, 12 Feb 2001 01:36:11 -0800 

On Mon, Feb 12, 2001 at 06:16:22PM +0900, [EMAIL PROTECTED] wrote:
>       try "host 127.0.0.1 or host ::1".

Note that the above would go through a different code path, so it'd be a
test of whether there's something wrong with the code path in question -
which is what we want.

Speaking of that code, it appears that

                        memset(&mask128, 0xff, sizeof(mask128));
                        res0 = res = pcap_nametoaddrinfo(name);
                        if (res == NULL)
                                bpf_error("unknown host '%s'", name);
                        b = tmp = NULL;
                        tproto = tproto6 = proto;
                        if (off_linktype == -1 && tproto == Q_DEFAULT) {
                                tproto = Q_IP;
                                tproto6 = Q_IPV6;
                        }
                        for (res = res0; res; res = res->ai_next) {
                                switch (res->ai_family) {
                                case AF_INET:
                                        if (tproto == Q_IPV6)
                                                continue;

                                        sin = (struct sockaddr_in *)
                                                res->ai_addr;
                                        tmp = gen_host(ntohl(sin->sin_addr.s_addr),
                                                0xffffffff, tproto, dir);
                                        break;
                                case AF_INET6:
                                        if (tproto6 == Q_IP)
                                                continue;

                                        sin6 = (struct sockaddr_in6 *)
                                                res->ai_addr;
                                        tmp = gen_host6(&sin6->sin6_addr,
                                                &mask128, tproto6, dir);
                                        break;
                                }
                                if (b)
                                        gen_or(b, tmp);
                                b = tmp;
                        }

could malfunction if "res->ai_family" is neither AF_INET nor AF_INET6
(yes, perhaps that "should not happen", but sometimes stuff that "should
not happen" happens anyway).  However, I'd expect it to crash in

        backpatch(b0, b1->head);

when it tries to dereference "b1", rather than blowing up in the bowels
of the optimizer.

It might be interesting to see what happens if

                                if (b)
                                        gen_or(b, tmp);

is changed to

                                if (b && tmp)
                                        gen_or(b, tmp);
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to