[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firestorm: new pb frag ...

To: Gianni Tedesco <gianni@xxxxxxxxxx>
Subject: Re: firestorm: new pb frag ...
From: Gianni Tedesco <gianni@xxxxxxxxxx>
Date: 04 Apr 2003 17:01:53 +0100
Cc: rmkml <rmkml@xxxxxxxxxx>, firestorm@xxxxxxxxxxxxxxxx
Delivered-to: mailing list firestorm@scaramanga.co.uk
In-reply-to: <1049464033.9293.78.camel@lemsip>
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm
References: <3E8D89C0.FCFEFE8C@wanadoo.fr> <1049464033.9293.78.camel@lemsip>

On Fri, 2003-04-04 at 14:47, Gianni Tedesco wrote:
> On Fri, 2003-04-04 at 14:33, rmkml wrote:
> > Hi All,
> > 
> > I found a pb with firestorm,

It's a genuine bug, thanks for spotting.

Attached patch should fix it.

PS. The syslog thing is a bug inherited from the log plugin which is now
fixed in CVS.

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Index: firestorm/ChangeLog
diff -u firestorm/ChangeLog:1.241 firestorm/ChangeLog:1.242
--- firestorm/ChangeLog:1.241	Fri Apr  4 14:55:55 2003
+++ firestorm/ChangeLog	Fri Apr  4 16:57:59 2003
@@ -20,6 +20,7 @@
  * Fix dsize bug, fix off-by-one offset bug
  * Add syslog target
  * Fix log ip address bug for ipfrag
+ * Don't double free fragments when timed out
 
 Version 0.5.2
  * Use list head for LRU in tcpstream
Index: firestorm/HACKING
diff -u firestorm/HACKING:1.200 firestorm/HACKING:1.201
--- firestorm/HACKING:1.200	Wed Mar 26 12:49:33 2003
+++ firestorm/HACKING	Fri Apr  4 16:57:59 2003
@@ -5,11 +5,6 @@
  firestorm but aren't sure how, this is the place to start.
 
 
-BUGS
-====
- o There is at least one crash bug...
-
-
 API CLEANUPS
 ============
  o Matchers should be registered on to protocols.
Index: firestorm/NEWS
diff -u firestorm/NEWS:1.128 firestorm/NEWS:1.129
--- firestorm/NEWS:1.128	Fri Apr  4 14:55:55 2003
+++ firestorm/NEWS	Fri Apr  4 16:57:59 2003
@@ -7,6 +7,7 @@
   * Fixed longstanding bugs in dsize matcher
   * Snort compatible 'offset' modifier
   * Fix bug in log plugin displaying IP addresses in ipfrag alerts
+  * Fix crash bug in ipfrag
  NEW FEATURES
   * Balance alerts between alert spools
   * Firecat can create indexes on elog files
Index: firestorm/decode_plugins/ipfrag.c
diff -u firestorm/decode_plugins/ipfrag.c:1.29 firestorm/decode_plugins/ipfrag.c:1.30
--- firestorm/decode_plugins/ipfrag.c:1.29	Sat Jan 25 16:47:05 2003
+++ firestorm/decode_plugins/ipfrag.c	Fri Apr  4 16:57:59 2003
@@ -77,6 +77,23 @@
 #define IPHASH 128 /* Must be a power of two */
 struct ipq *ipq_hash[IPHASH]; /* IP fragment hash table */
 
+__INLINE__ struct ipfrag *fragstruct_alloc(void)
+{
+	struct ipfrag *ret;
+	
+	ret=malloc(sizeof(*ret));
+	if ( ret )
+		ipfrag_mem += sizeof(*ret);
+
+	return ret;
+}
+
+__INLINE__ void fragstruct_free(struct ipfrag *x)
+{
+	free(x);
+	ipfrag_mem -= sizeof(*x);
+}
+
 /* Hash function for ipq_hash lookup */
 __INLINE__ unsigned int ipq_hashfn(u_int16_t id,
 	u_int32_t saddr,
@@ -190,8 +207,7 @@
 			free(bar->fdata);
 			ipfrag_mem-=bar->flen;
 		}
-		free(bar);
-		ipfrag_mem-=sizeof(struct ipfrag);
+		fragstruct_free(bar);
 	}
 
 	/* Remove from LRU queue */
@@ -395,11 +411,12 @@
 /* Trim down to low memory watermark */
 __INLINE__ void ip_evictor(struct packet *pkt, struct ipq *cq)
 {
-	dmesg(M_DEBUG,"Running the ipfrag evictor!");
+	dmesg(M_DEBUG,"Running the ipfrag evictor! %u(%i) %i",
+		ipfrag_mem, ipfrag_mem, sizeof(struct ipfrag));
 	ipfrag_oom(pkt);
+	ipfrag_err_mem++;
 	while ( (ipfrag_mem > ipfrag_mem_lo) ) {
 		if ( !ipq_oldest || ipq_oldest==cq) return;
-		ipfrag_err_mem++;
 		ipq_kill(ipq_oldest);
 	}
 }
@@ -433,7 +450,7 @@
 		 * is suspicious (read: evasive) */
 		ipfrag_timedout(pkt);
 		ipq_kill(qp);
-		return 0;
+		return 1;
 	}
 
 	/* Check other timeouts */
@@ -524,8 +541,9 @@
 	}
 
 	/* Insert data into fragment chain */
-	if ( !(me=calloc(1, sizeof(struct ipfrag))) ) return 1;
-	ipfrag_mem+=sizeof(struct ipfrag);
+	me = fragstruct_alloc();
+	if ( !me )
+		return 1;
 
 	/* Find out where to insert this fragment in the list */
 	prev=NULL;
@@ -575,41 +593,46 @@
 			}
 
 			qp->meat -= free_it->len;
-			free(free_it);
-			ipfrag_mem-=sizeof(struct ipfrag);
+			fragstruct_free(free_it);
 		}
 	}
 
 	/* Make the fragment */
-	me->len=len-(chop);
-	me->offset=offset;
-	me->len-=ihl;
+	me->len = len - chop;
+	me->offset = offset;
+	me->len -= ihl;
 	if ( offset ) {
 		chop=ihl;
+	} else {
+		chop=0;
 	}
 
 	/* IP defragmentation can be zerocopy */
 	if ( pkt->flags & FP_CLONE ) {
 		unsigned int alen=me->len;
 
-		if ( !offset ) alen+=ihl;
+		if ( !offset )
+			alen+=ihl;
 
 		if ( !(me->fdata=malloc(alen)) ) {
-			free(me);
+			fragstruct_free(me);
 			return 1;
 		}
 
 		ipfrag_mem+=alen;
-		memcpy(me->fdata, ((void *)iph)+chop, alen);
+		memcpy(me->fdata, ((char *)iph)+chop, alen);
 		me->free=1;
 		me->flen=alen;
+		mesg(M_DEBUG, "alloc %u", alen);
 	}else {
 		me->fdata=((void *)iph)+chop;
 		me->free=0;
 	}
 
 	me->data=me->fdata;
-	if ( !offset ) me->data+=ihl;
+	/* FIXME: looks wrong */
+	if ( !offset )
+		me->data+=ihl;
 
 	/* Insert the fragment */
 	me->next=next;
Index: firestorm/decode_plugins/tcpstream.c
diff -u firestorm/decode_plugins/tcpstream.c:1.119 firestorm/decode_plugins/tcpstream.c:1.120
--- firestorm/decode_plugins/tcpstream.c:1.119	Sat Jan 25 15:19:38 2003
+++ firestorm/decode_plugins/tcpstream.c	Fri Apr  4 16:57:59 2003
@@ -1115,6 +1115,7 @@
 	if ( !(tcp_hash=calloc(tcp_hashsz,
 		sizeof(*tcp_hash))) ) {
 		free(all_sessions);
+		all_sessions=NULL;
 		goto oom;
 	}

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- firestorm: new pb frag ...
  - From: rmkml
- Re: firestorm: new pb frag ...
  - From: Gianni Tedesco

Prev by Date: Re: firestorm: new pb frag ...
Next by Date: elog support for ethereal 0.9.11
Previous by thread: Re: firestorm: new pb frag ...
Next by thread: elog support for ethereal 0.9.11
Index(es):
- Date
- Thread