Details on the Snort DoS Condition

You may have heard of an exploit for a denial of service condition in Snort. In short, according to Snort.org, "You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode... Using barnyard? Using snortdb? You are not vulnerable."

Exploit code is here:

http://www.k-otik.com/exploits/20041222.angelDust.c.php

Lurking in #snort and #snort-gui on irc.freenode.net, I learned the following about this vulnerability by listening to Marty. I hope he doesn't mind being quoted in the hopes of getting this information out to reassure the community:

roesch: it's a bug that gets manifested by the packet printers in log.c
roesch: if you use the -v switch when you run snort you can 
have a problem, if you're not running the tcp protocol 
printer in log.c (i.e. using the -v switch or logging in 
default ascii logging mode) then you're not affected
roesch: so if you're running snort as an IDS (which most 
people are) then you're fine
roesch: the problem is that we increment the opt_count too 
early in DecodeTCPOptions
roesch: it crashes when the null ptr is dereferenced in 
PrintTcpOptions
roesch: a null ptr deref is where we try to look at memory 
at address 0 on the computer and it tells us to pi$$ off
roesch: basically
roesch: the problem is on line 3035 of decode.c
roesch: the crash comes on line 1556 of log.c for angeldust
roesch: doesn't seem to be any way to whack
 tcp_options[].data pointer
roesch: so I don't think it's remotely exploitable