What we are looking at are two simple types of buffer overflows.
sf_optimize.c
Line 2056 -> edges allocated.
Line 2098 -> edges assignment
So if we have a buffer size of 0 bytes, a write length of 160542648 bytes; what we see is edges.$offset is 0. i is 20067830. Which writes outside the bounds of edges.
sf_optimize.c
Line 2056 -> edges allocated.
Line 2100 -> edges assignment
So if we have a buffer size of 0 bytes, a write length of 160542648 bytes; what we see is edges.$offset is 0. n_blocks is 0. i is 20067830. Which writes outside the bounds of edges.
Off-by-one
daq_common.h: Line 194, Verdicts is declared.
daq_dump.c: Line 164, assigment to impl via stats.verdicts
So we have a buffer size of 48 bytes. The write length will be 56 bytes. We end up with verdicts of 6. Which writes one location past the bounds of verdicts.
-————————-
DAQ version:
The latest stable version available on snort.com/snort- downloads ( http://www.snort.org/downloads/2311 ) version 2.0.0 .