argus-1.8.1 core

David Brumley dbrumley at rtfm.stanford.edu
Thu Sep 28 12:48:20 EDT 2000


Hi,
It looks like the long-jump problem in ra is still around in argus-1.8.1
with peter's patch.  

(gdb) set args -n -r /log1/argus.000927 host 24.228.0.56 or host
131.238.233.63 or host 24.92.253.116 or host 24.68.123.208 or host
24.26.33.132 or host 24.214.28.70 or host 24.131.154.139 or host
24.30.33.244 or host 24.129.115.59 or host 24.166.137.123 or host
24.177.79.11 or host 24.22.155.230 or host 165.121.50.247 or host
24.6.59.50 or host 24.176.112.15 or host 143.246.82.248 or host
24.6.102.180 or host 24.218.208.207
(gdb) r
Starting program: /home/dbrumley/build/argus-1.8.1/bin/./ra -n -r
/log1/argus.000927 host 24.228.0.56 or host 131.238.233.63 or host
24.92.253.116 or host 24.68.123.208 or host 24.26.33.132 or host
24.214.28.70 or host 24.131.154.139 or host 24.30.33.244 or host
24.129.115.59 or host 24.166.137.123 or host 24.177.79.11 or host
24.22.155.230 or host 165.121.50.247 or host 24.6.59.50 or host
24.176.112.15 or host 143.246.82.248 or host 24.6.102.180 or host
24.218.208.207

Program received signal SIGSEGV, Segmentation fault.
0xff1c596c in realfree () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff1c596c in realfree () from /usr/lib/libc.so.1
#1  0xff1c5550 in _malloc_unlocked () from /usr/lib/libc.so.1
#2  0xff1c5314 in malloc () from /usr/lib/libc.so.1
#3  0x2430c in icode_to_fcode (root=0xd07a0, lenp=0xffbef6cc)
    at ./argus_util.c:3506
#4  0x261b0 in policy_compile (p=0xffbef740, program=0xffbef8d0, 
    buf=0xcc218 "host 24.228.0.56 or host 131.238.233.63 or host
24.92.253.116 or host 24.68.123.208 or host 24.26.33.132 or host
24.214.28.70 or host 24.131.154.139 or host 24.30.33.244 or host
24.129.115.59 or host "..., optimize=1, 
    mask=0) at ./gencode.c:297
#5  0x160dc in main (argc=57, argv=0xffbef95c) at ./argus_parse.c:344
(gdb) frame 3
#3  0x2430c in icode_to_fcode (root=0xd07a0, lenp=0xffbef6cc)
    at ./argus_util.c:3506
3506                fp = (struct bpf_insn *)malloc(blah);
(gdb) inspect blah
$1 = 2896


The reason the variable is called blah is because I was doing a little
testing.  In any case, my best guess is that argus is malloc()'ing to much
memory.

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Quidquid latine dictum sit, altum viditur.



More information about the argus mailing list