various 'ra' problems

[MN]

We're seeing three Argus 'ra' problems.  Details below - apologies there
are not more, but we're in crisis mode...

The argus files that 'ra' is reading in each of these reports were
produced by the the ** rc25 ** version of argus, so if there was a
bug fix since then, these reports can be ignored.  The collectors
are on Intel machines running Linux, the machine that ra is running
on is a Power5+ system running RHEL4


#1 - 'ra' sometimes segfaults on some icmp records.  

The problem appears to be that some records are written
with icmp->icmp_type or icmpflow->type equal to 46, which causes
the strncpy on line 10745 below to fail as it is a null pointer.

possible fix:
10744      if (ra_icmp_type < (unsigned char) (ICMP_MAXTYPE + 1))
should become
10744      if (ra_icmp_type < (unsigned char) (ICMP_MAXTYPE))

but probably the reason for an type code of 46 should be determined.


[argus_util.c]:
10716   char *
10717   ArgusGetICMPStatus (struct ArgusParserStruct *parser, struct ArgusRecordStruct\ *argus)
10718   {
10719      struct ArgusICMPFlow *icmpFlow = &argus->canon.flow.icmp_flow;
(gdb)
10720      struct ArgusIcmpStruct *icmp = (struct ArgusIcmpStruct *)argus->dsrs[ARGUS_\ICMP_INDEX];
10721      char ArgusResponseString[32];
10722      char icmptype[32];
10723
10724      unsigned char ra_icmp_type = 0, ra_icmp_code = 0;
10725      unsigned short ra_icmp_data = 0;
10726      unsigned int  ra_src_addr = 0, ra_dst_addr = 0, ra_gw_addr = 0;
10727
10728      bzero (ArgusResponseString, 32);
10729      bzero (icmptype, 32);
10730
10731      if (icmp) {
10732         ra_src_addr  = icmp->isrcaddr;
10733         ra_dst_addr  = icmp->idstaddr;
10734         ra_gw_addr   = icmp->igwaddr;
10735         ra_icmp_type = icmp->icmp_type;
10736         ra_icmp_code = icmp->icmp_code;
10737      } else {
10738         ra_icmp_type = icmpFlow->type;
10739         ra_icmp_code = icmpFlow->code;
10740      }
10741
10742      ra_icmp_data = icmpFlow->id;
10743
10744      if (ra_icmp_type < (unsigned char) (ICMP_MAXTYPE + 1))
10745         strncpy (icmptype, icmptypestr[ra_icmp_type], 32);
10746      else
10747         strncpy (icmptype, "UNK", 3);
10748


Looking at variables:
(gdb) print icmptype
$1 = '\0' <repeats 31 times>
(gdb) print &icmptype
$2 = (char (*)[32]) 0xfffee0b0
(gdb) print ra_icmp_type
$3 = 46 '.'
(gdb) print icmptypestr[ra_icmp_type]
$4 = 0x0
(gdb) print icmptypestr
$5 = {0x100699c0 "ECR", 0x100699c4 "   ", 0x100699c4 "   ", 0x100699c8 "UR",
  0x100699cc "SRC", 0x100699d0 "RED", 0x100699d4 "AHA", 0x100699c4 "   ",
  0x100699d8 "ECO", 0x100699dc "RTA", 0x100699e0 "RTS", 0x100699e4 "TXD",
  0x100699e8 "PAR", 0x100699ec "TST", 0x100699f0 "TSR", 0x100699f4 "IRQ",
  0x100699f8 "IRR", 0x100699fc "MAS", 0x10069a00 "MSR", 0x10069a04 "SEC",
  0x10069a08 "ROB", 0x10069a08 "ROB", 0x10069a08 "ROB", 0x10069a08 "ROB",
  0x10069a08 "ROB", 0x10069a08 "ROB", 0x10069a08 "ROB", 0x10069a08 "ROB",
  0x10069a08 "ROB", 0x10069a08 "ROB", 0x10069a0c "TRC", 0x10069a10 "DCE",
  0x10069a14 "MHR", 0x10069a18 "WAY", 0x10069a1c "IAH", 0x10069a20 "MRQ",
  0x10069a24 "MRP", 0x10069a28 "DNQ", 0x10069a2c "DNP", 0x10069a30 "SKP",
  0x10069a34 "PHO", 0x10069a38 "NDS", 0x10069a3c "NDA", 0x10069a40 "NDN",
  0x10069a44 "NDR", 0x10069a48 "PTB", 0x0}


So the type code causes and attempt to copy a null string.



#2 - unknown flow types found

When reading a large number of files, pulling some records
	ra -r ManyFiles -w SelectedEntries
I sometimes get the message
	ra[29026]: 06-10-06 11:55:41 ArgusGenerateRecordStruct: unknown flow type: 0

which Carter has indicated may be record corruption.

#3: when reading a large file with ra, it will (on one file) just
hang part way through.


I'm trying to get more details on #2 and #3, and will post them
when possible.  I'm not able to release the files to others.

- mike