A poorly fragmented packet stream that seg faults argus.

Carter Bullard cbullard at nortelnetworks.com
Wed Mar 3 11:32:39 EST 1999 

Hey Peter Van,
  So I believe the fixes to ./server/cons_ip.c will handle
your problem.  Tell me ASAP if this isn't true.  There
are two fixes in cons_ip.c, both related to truncated
packets, but your problem was specific to truncated
fragments, so both patches apply.

  The output for your example with these fixes will not be
accurate, (your sample has 101 packets and argus will report
101 packets seen, but only 76 packets mapped to flows).
Actually the missing packets are not related to the TCP
connection, but to the ICMP processing.  That will be
fixed in the 1.8 timeframe.

Carter


171,173d170
<    
<             default:
<                obj = (struct IP_OBJECT *)cons_ip (ep, len, ip, tvp); break;
174a172,183
> 
> /*
>    Adjusted code to handle condition where cons_xxx may return null,
>    principally due to protocol error (lengths not long enough, format
>    bad, etc...)  We would normall call cons_ip() as the default
>    protocol, and so, we moved this call out of the switch, and we'll
>    call if if we don't have an object at this point.
> */
> 
>          if (!(obj))
>             obj = (struct IP_OBJECT *)cons_ip (ep, len, ip, tvp);
> 
179c188,189
<                obj->ip_cb.status |= FRAGMENTS;
---
>                if (obj)                                       /* Added <dbrumley at goju.Stanford.EDU>  11/9/98 wcb */
>                   obj->ip_cb.status |= FRAGMENTS;

-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Wednesday, March 03, 1999 11:06 AM
To: Carter Bullard
Cc: argus at sei.cmu.edu
Subject: Re: A poorly fragmented packet stream that seg faults argus.


	Well other than needing another 24 hours in the day to play with 
argus things are going well :-). I have a couple of P2 450 mhz server class 
machines (one currently being my production argus host and the other for 
testing with a pair of Fore ATM cards in it that we want to attach to Argus)
but work keeps getting in the way of progress. My Internet link is a 30 meg
PVC in the intercampus OC3, and I'm currently stuck with the 100baseT link
after our border router. I have optical splitters in the OC3 link out, and
if I can get the FreeBSD HARP code to talk to libpcap, I expect to be able
to get argus on the PVC and thus see the attacks the border router is blocking.
	Is the patch available? I took another crash last night (I haven't 
checked yet, but I expect the same person from our dial up modem pool).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> Hey Peter,
>    I have fixed the bug that was causing problems.
> It really is just a missing pointer value test
> and it will be in the 1.8 code when it comes out.
> I don't have the code with me, as I'm on the
> road, but I'll send you the patch tomorrow.
> 
> Hope all is well,
> 
> Carter
> 
> -----Original Message-----
> From: Peter Van Epp [mailto:vanepp at sfu.ca]
> Sent: Thursday, February 25, 1999 10:31 AM
> To: Carter Bullard
> Subject: Re: A poorly fragmented packet stream that seg faults argus.
> 
> 
> 	Its set execute only so you may have to cd to pub/newbridge-vivid 
> and do a get on tcpdump.log, the directory is usually for core dumps for 
> Newbridge which we don't want publicly readable.
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> > 
> > Hey Peter,
> >     I didn't find the file in your ftp reference.
> > Carter
> > 
> > 
> > -----Original Message-----
> > From: Peter Van Epp [mailto:vanepp at sfu.ca]
> > Sent: Wednesday, February 24, 1999 7:08 PM
> > To: argus at sei.cmu.edu
> > Subject: A poorly fragmented packet stream that seg faults argus.
> > 
> > 
> > 	I have managed to extract the 8K stream (out of a 5 gig tcpdump file) 
> > that causes a seg fault in fragment processing in argus-1.7.beta.1e on a 
> > FreeBSD 3.1 box. I have put the extracted 8K tcpdump file up for anon ftp on 
> > ftp.sfu.ca in /pub/newbridge-vivid/tcpdump.log if you are interested in
> > having a look. I expect the fix is simple enough, check for a null pointer 
> > before storing, but I'm not sure how you would report (or if you should report)
> > the corrupted packet. Obviously a silent discard would be one way to fix things
> > and probaly what I'll do for now to keep from going thump in the night.
> > 	I have seen 3 or 4 dumps from this same user on one of our terminal
> > server ports. I expect they are all from the same site (or the stack on his or
> > her machine is faulty), but I only have the one tcp dump (but feeding the 
> > file to argus_bpf causes the seg fault!).
> > 
> > Peter Van Epp / Operations and Technical Support 
> > Simon Fraser University, Burnaby, B.C. Canada
> > 
>

More information about the argus mailing list