argus-3.0.0 segfault (5/23 version)

[Michael Hornung]

Are you expecting argus to reproduce the segfault by replaying it through 
argus by setting ARGUS_PACKET_CAPTURE_FILE in argus.conf?  I tried that 
(leaving the rest of the config the same) and the segfault does not happen 
again.  If the pcap will still be helpful to you, let me know and I'll put 
up the copy wiht sanitized IPs.

-Mike

On Thu, 24 May 2007 at 23:22, carter at qosient.com wrote:

|Hey Micheal,
|If you can share that would be ideal!!!
|You can use the argus write pcap file function that is turned on from the argus.conf file to try to get the packet file size down.  It causes argus to write out the paxkets it receives, and so it will stop on the packet that causes the problem!!!
|
|Thanks!!!
|
|Carter
|
|
|Carter Bullard
|QoSient LLC
|150 E. 57th Street Suite 12D
|New York, New York 10022
|+1 212 588-9133 Phone
|+1 212 588-9134 Fax  
|
|-----Original Message-----
|From: Michael Hornung <hornung at cac.washington.edu>
|Date: Thu, 24 May 2007 15:13:15 
|To:argus-info at lists.andrew.cmu.edu
|Subject: [ARGUS] argus-3.0.0 segfault (5/23 version)
|
|I've got argus running on a Fedora Core 6 x86 Linux box.  The argus daemon 
|dies *very* regularly and so needs to be monitored.  I finally got around 
|to capturing a pcap for the duration of an argus session.  Carter, let me 
|know if you want this and I'll get it to you; it is 650MB uncompressed. 
|Following is what I see when running argus in gdb:
|
|(gdb) run
|Starting program: /usr/local/sbin/argus
|argus[29762]: 24 May 07 14:56:36.593821 started
|argus[29762]: 24 May 07 14:56:36.596492 ArgusGetInterfaceStatus: interface 
|eth1 is up
|argus[29762]: 24 May 07 14:56:41.031467 connect from 128.95.135.24
|
|Program received signal SIGSEGV, Segmentation fault.
|0x0805a340 in ArgusCreateFlowKey (model=0x9491008, flow=0x9492290,
|     hstruct=0x9492200) at ArgusUtil.c:785
|785           hstruct->hash ^= *ptr++;
|
|(gdb) bt full
|#0  0x0805a340 in ArgusCreateFlowKey (model=0x9491008, flow=0x9492290,
|     hstruct=0x9492200) at ArgusUtil.c:785
|         ptr = (unsigned int *) 0xe025000
|         key = (unsigned int *) 0x9492208
|         retn = 0
|         i = 19811198
|         len = -1
|#1  0x0804e71f in ArgusProcessPacket (model=0x9491008, p=0x949460a "",
|     length=90, tvp=0xbff0d5b8, type=0) at ArgusModeler.c:988
|         retn = 0
|         tflow = (struct ArgusSystemFlow *) 0x9492290
|         flow = (struct ArgusFlowStruct *) 0x94b9d78
|         nflow = (struct ArgusFlowStruct *) 0xc6ecbc8
|         ptr = 0x949473c "\031"
|         value = 0
|#2  0x08055b61 in ArgusEtherPacket (user=0xb7e4c008 "", h=0xbff0d5b8,
|     p=0x949460a "") at ArgusSource.c:623
|         ep = (struct ether_header *) 0x949460a
|         ind = 0
|         src = (struct ArgusSourceStruct *) 0xb7e4c008
|         tvp = (struct timeval *) 0xbff0d5b8
|         caplen = 90
|         length = 90
|         statbuf = {st_dev = 0,__pad1 = 0,__st_ino = 0, st_mode = 0,
|   st_nlink = 10354372, st_uid = 3086711688, st_gid = 0,
|   st_rdev = 44261669504811007,__pad2 = 18120, st_size = 
|-4615955009626666608,
|   st_blksize = 10255072, st_blocks = -5189414748145497984, st_atim = {
|     tv_sec = 1, tv_nsec = 1}, st_mtim = {tv_sec = 0, tv_nsec = 134516346},
|   st_ctim = {tv_sec = 0, tv_nsec = 134911664}, st_ino = 10354372}
|#3  0x08066088 in pcap_read_linux ()
|No symbol table info available.
|#4  0x08057eeb in ArgusGetPackets (src=0xb7e4c008) at ArgusSource.c:1654
|         ArgusReadMask = {__fds_bits = {128, 0 <repeats 31 times>}}
|         ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
|         ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
|         tmp = 1
|         i = 0
|         width = 7
|         noerror = 1
|         fd = 7
|         found = 1
|         up = 1
|         wait = {tv_sec = 0, tv_usec = 20000}
|#5  0x0804b333 in main (argc=1, argv=0xbff0d984) at argus.c:464
|         commandlinew = 0
|         doconf = 0
|         dodebug = 0
|         i = 1
|         pid = 0
|         tmparg = 0x8049f30 "[\201�214�005"
|         filter = 0x0
|         statbuf = {st_dev = 64768,__pad1 = 0,__st_ino = 2688645,
|   st_mode = 33133, st_nlink = 1, st_uid = 500, st_gid = 500, st_rdev = 0,
|__pad2 = 0, st_size = 11114, st_blksize = 4096, st_blocks = 32, st_atim 
|= {
|     tv_sec = 1180043663, tv_nsec = 0}, st_mtim = {tv_sec = 1180042005,
|     tv_nsec = 0}, st_ctim = {tv_sec = 1180042005, tv_nsec = 0},
|   st_ino = 2688645}
|         host = (struct hostent *) 0x80a94bc
|         commandlinei = 0
|         op = -1
|         path = "/etc/argus.conf\000argus", '\0' <repeats 8170 times>
|
|(gdb) print hstruct->hash
|$1 = 2710700798
|
|So again, let me know if the pcap or anything else will be helpful.
|
|-Mike
|