[ARGUS] Another Core Dump

Carter Bullard carter at qosient.com
Wed Apr 14 10:42:41 EDT 2004 

Hey Eric,
   Hmmmm, segmentation fault, so the assumption is that the
asock pointer is corrupt?  If you're still in the gdb, do this:

(gdb) print *asock

to see what is going on.  It maybe that the segmentation fault
is occurring at the line before.  If we can figure out which
area of memory is foobar, then we can fix it pronto.

Carter


-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of eric
Sent: Wednesday, April 14, 2004 1:47 AM
To: Peter Van Epp
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Another Core Dump

On Tue, 2004-04-13 at 21:28:28 -0700, Peter Van Epp proclaimed...

> 	Time for symbols :-). In the argus source directory
>
> touch .devel
> ./configure
> make clean
> make

Ok, I turned on .devel and .debug both....why not :)

> 	That will set the compiler -g flag and give gdb a symbol table. Then
> you can do a where from gdb in the core and it will give you routine names

> and more importantly parameters being passed to the calls (maybe :-))
which
> may tell Carter whats happening during times of crisis. Note the removal
of
> optimization with -g may slow argus down somewhat and you may lose packets
> even during normal times. I suspect you may find a port scan or scans is
the
> source of the problem. A expect a port scan is going to create new flows
at
> a high rate and likely cause the most strain. Does the ra data just before
> the crash show anything interesting (or the same general kinds of
> things before every crash?) that too may give a clue to whats
> going on.

Seems like the same type of data -- just some large ping sweeps,
etc.. Nothing too hostile.

Here's the debug that I've come up with. I'm running argus out of
gdb right now....

Core was generated by `argus'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libwrap.so.3...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004",
cnt=88)
    at ./ArgusUtil.c:918
918                 asock->status |= ARGUS_WAS_FUNCTIONAL;
(gdb)
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004",
cnt=88)
    at ./ArgusUtil.c:918
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598
"\001\004",
    len=88, client=0x0) at ./ArgusOutput.c:857
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413

(gdb) bt

#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004", cnt=88)
    at ./ArgusUtil.c:918
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598 "\001\004",
    len=88, client=0x0) at ./ArgusOutput.c:857
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413

(gdb) frame 5
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413
413        ArgusInitOutput ();

(gdb) frame 4
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
132           ArgusOutputProcess();

(gdb) frame 3
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
439                    if ((retn = ArgusReadSocket
(ArgusInputSocket, ArgusHandleData,
 NULL)) < 0) {

(gdb) frame 2
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
847                 ArgusThisHandler (asock, (unsigned char *) asock->ahdr,
len, data)
;

(gdb) frame 1
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598 "\001\004",
857                    if ((retn = ArgusWriteSocket
(ArgusOutputTask->client[i].sock,
buf, len)) < 0) {

(gdb) frame 0
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004", cnt=88)
    at ./ArgusUtil.c:918
918                 asock->status |= ARGUS_WAS_FUNCTIONAL;

More information about the argus mailing list