OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Purified snort
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Mar 07 2000 - 11:15:58 CST

Erich Meier wrote:
>
> Hi!
>
> I took the initiative and built a purified version of snort and ran it. For
> those who don't know "purify", it is a tool for finding uninitialized memory
> reads/writes, dangling pointer accesses, memory leaks and alike (see
> http://www.rational.com/products/purify_unix/index.jtmpl).

Thanks for the purify run!

> It found only one really small glitch in line 342 of sp_pattern_match.c:
>
> void ParsePattern(char *rule, OptTreeNode *otn)
> {
> ...
> char hex_buf[9];
>
> ...
> if(dummy_idx < dummy_end) {
> tmp_buf[dummy_size] = (u_long) strtol(hex_buf, (char **)NULL, 16);
> ^^
> This "16" looks very suspicious
> to me. I guess, it should read 8.

The 16 is the numeric base for the strtol command to convert based on,
not a length. IOW, I'm telling it that the data in hex_buf is base-16
and to convert is appropriately.

> After stopping snort, purify notified me, that the mSplit() function leaks
> memory in lines 126 and 195 of mstring.c. But code inspection tells me, that
> this is more or less unavoidable and - more important - very static.

Hmm, I guess I could free those mallocs eventually once the parsers are
done with that data, but since it's static (at initialization time only)
it's really not a big problem. 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment