Hey All,
I have noticed a rare crush in the sniffer Application. I debugged the Core file and reached a situation where the variable
sslBytes takes a negative value. Consequently, the following line in sniffer.c resulted in a crush:
in CheckPreRecord:
...
XMEMCPY(&ssl->buffers.inputBuffer.buffer[length],*sslFrame,*sslBytes)
it's clear why the code crushed here (sslBytes = -2928)
I started digging by looking at the values from the core file, following the entire path of the program, and got to the following line, where the I suspect the problem lies:
in sniffer.c, AdjustSequence(...):
if(reassemblyList){
word32 newEnd = *expected + *sslBytes; //my calculations yielded newEnd = 4472
if(newEnd > reassemblyList->begin){ //reassemblyList->begin = 1461 so this is true
*sslBytes -= newEnd - reassemblyList->begin; //--> this yields sslBytes -= -2928
}
}
why is the last line necessary? I couldn't understand, we already remove overlapping a few lines above...
for your convenience, here are the relevant values extracted from the core file:
packet = 0x7F696F4d28F6
ipInfo->length = 20
tcpInfo->length = 32
tcpInfo->sequence = 27041368
ipInfo->total = 299
length = 299
seqStart=session->srvSeqStart = 4225
expected = session->srvExpected = 1461, but you should use 4389 - see ** below
reassemblyList->begin = 1461
reassemblyList->end = 2868
i think these are all the values you need in order to trace the path of the program and reach teh same conclusion as I did...
**heads up:
in the function AdjustSequence, we modify the expected param by reference using sslBytes, which it helped compute. that means that in the core file we witness a value of $expected which is already influenced by the false calculation of sslBytes. since we add sslBytes (-2928) to expected after the calculation, I added 2928 to the value of $expected in the core file, which resulted in 4389. using this value, i was able to trace the entire program path to and get the value of sslBytes as it was seen in the core file.
if you need any more explanation of what I did in order to reach those conclusions, please let me know...
Dan