Smells bad, this is actually in libnids :
Program received signal SIGSEGV, Segmentation fault.
get_ts (this_tcphdr=0x88b48f6c, ts=0x82b69490) at tcp.c:129
129 switch (options[ind]) {
(gdb) bt
#0 get_ts (this_tcphdr=0x88b48f6c, ts=0x82b69490) at tcp.c:129
#1 0x1c00aaff in add_new_tcp (this_tcphdr=0x88b48f58, this_iphdr=0xe6)
at tcp.c:190
#2 0x1c00b948 in process_tcp (data=0x88b48f44 "E", skblen=248) at tcp.c:617
#3 0x1c009ef3 in gen_ip_frag_proc (data=0xf8 <Address 0xf8 out of bounds>,
len=-2010568800) at libnids.c:291
#4 0x1c009d19 in pcap_hand (par=0x0, hdr=0x88b48f24,
data=0xe6 <Address 0xe6 out of bounds>) at libnids.c:249
#5 0x0b13e141 in pcap_read (p=0x835ad000, cnt=-1,
callback=0x1c009cd0 <pcap_hand>, user=0x0)
at /usr/src/lib/libpcap/pcap-bpf.c:154
#6 0x0b13e8f1 in pcap_loop (p=0x835ad000, cnt=-1,
callback=0x1c009cd0 <pcap_hand>, user=0x0)
at /usr/src/lib/libpcap/pcap.c:76
#7 0x1c00a3ff in nids_run () at libnids.c:509
#8 0x1c005f35 in main (argc=0, argv=0x0) at dsniff.c:172
(gdb) print ind
$1 = 230
linids/tcp.c :
unsigned char * options = (char*)(this_tcphdr + 1);
int ind = 0, ret = 0;
while (ind <= len - sizeof (struct tcphdr) - 10 )
switch (options[ind]) { <=== overflow
