RTP/ESP v2 records conversion issue

VIEAU Cédric 172196 cedric.vieau at cea.fr
Thu Aug 17 11:56:16 EDT 2006 

Hey Carter,

I'm having issues using argus-clients-v3.rc25 on Debian/Intel with v2 records.
Records were created with argus-server-2.0.6.fixes.1-10 (debian package).

racount v3 generates the following error:
"ArgusReadStreamSocket (0xb7d43de0) record length is zero"
whereas racount v2 doesn't complain.

Using gdb, I found that for one particular record, argus_util.c::ArgusV2NtoH() corrupts the next record writing beyond the current record length in input->ArgusReadBuffer. As the buffer is corrupted, ArgusReadStreamSocket parse bogus records and eventually find a zero length record.

The faulty record seems to be an ESP flow, with a type 0x01 DSR (ip_p = 50), a type 0x14 DSR (ARGUS_V2_RTP_DSR) and some more data after this DSR that doesn't seem to be valid DSRs! 

Looking further, I found that it happens for several ESP flow. Most of the time ArgusV2NtoH() ignore the data following the ARGUS_V2_RTP_DSR, but sometimes it randomly matches a valid DSR type, and the corresponding 'struct' might be bigger than the remaining record length.

Here is an exemple (entering ArgusV2NtoH()) :
--------------------
(gdb) p/x *(struct ArgusV2FarHeaderStruct *)((char *)argus + 16)       
$322 = {type = 0x1, length = 0x48, status = 0x0}
(gdb) p/x *(struct ArgusV2FarHeaderStruct *)((char *)argus + 16 + 0x48)
$323 = {type = 0x14, length = 0x24, status = 0x1}
(gdb) p/x *(struct ArgusV2FarHeaderStruct *)((char *)argus + 16 + 0x48 + 0x24)
$324 = {type = 0x83, length = 0x30, status = 0x0}  <=== strange DSR type...
(gdb) p/x *(struct ArgusV2FarHeaderStruct *)((char *)argus + 16 + 0x48 + 0x24 + 0x30)
$325 = {type = 0xa5, length = 0xa7, status = 0x4530}
(gdb) p/x *(struct ArgusV2FarHeaderStruct *)((char *)argus + 16 + 0x48 + 0x24 + 0x30 + 0xa7)
$329 = {type = 0x8d, length = 0x44, status = 0x50e1}
--------------------

As a (certainly bad) workaround, I applied the following patch, so the ESP flows stop corrupting the next records.
--------------------
--- argus_util.c.orig   2006-08-17 15:55:45.000000000 +0200
+++ argus_util.c        2006-08-17 15:57:11.000000000 +0200
@@ -12007,6 +12007,10 @@
                break;
             }
 
+            case ARGUS_V2_RTP_DSR: {
+               length = 0;
+               break;
+            }
 
             case ARGUS_V2_AGR_DSR: {
                struct ArgusV2AGRStruct *agr = (struct ArgusV2AGRStruct *) farhdr;
--------------------

I'm really not sure what is wrong here, this is far too deep into argus for me. Carter, I will send you the records file so you may take a look if you find time.

Cedric

More information about the argus mailing list