I'm back! segfault in newest argus

Carter Bullard carter at qosient.com
Fri Sep 7 16:41:10 EDT 2007


Hey Michael,
Long time no see/read/hear!!   And with good news as well!!!
So the trick is what kind of packet is causing this problem.  We are in
the part of argus were its formulating a flow key for the type of packet
that it has, and its coming up with a 0 length flow key, which is not
suppose to happen ([len = length - 1], and you have a hashstruct
length value of -1).

I'll put in a specific test for this, but we'll need to find the  
packet that
is causing all the ruckus.

Carter



On Sep 7, 2007, at 2:45 PM, Michael Hornung wrote:

> I'm back with new hosts running (or trying to run) argus.  The host  
> running argus is Intel (dual core Xeon 2.1Ghz, 2GB RAM) running 32  
> bit RHEL 5 (Linux).  Just this morning (9/7) I downloaded the most  
> recent argus 3.0.0 and built with .devel.
>
> Carter, let me know if you want me to run some more and make a pcap  
> you can examine locally.
>
> After running ~20 minutes or so I get:
>
> (gdb) run
> Starting program: /usr/local/sbin/argus
>   ArgusWarning: argus[25845]: 07 Sep 07 10:28:01.825027 started
>   ArgusWarning: argus[25845]: 07 Sep 07 10:28:01.825139
>   ArgusGetInterfaceStatus: interface eth2 is up
>      ArgusInfo: argus[25845]: 07 Sep 07 10:28:05.245676 connect  
> from XXX
>
> [ ... time passes ... ]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0805a337 in ArgusCreateFlowKey (model=0x9af7008, flow=0x9af73a8,
>     hstruct=0x9af7310) at ArgusUtil.c:873
> 873           hstruct->hash ^= *ptr++;
>
> (gdb) bt full
> #0  0x0805a337 in ArgusCreateFlowKey (model=0x9af7008, flow=0x9af73a8,
>     hstruct=0x9af7310) at ArgusUtil.c:873
>         ptr = (unsigned int *) 0xaeb0000
>         key = (unsigned int *) 0x9af7318
>         retn = 0
>         i = 5169978
>         len = -1
> #1  0x0804eb94 in ArgusProcessPacket (model=0x9af7008, p=0x9af81ca "",
>     length=90, tvp=0xbfc8db90, type=0) at ArgusModeler.c:1029
>         retn = 0
>         tflow = (struct ArgusSystemFlow *) 0x9af73a8
>         flow = (struct ArgusFlowStruct *) 0x9b01fd8
>         nflow = (struct ArgusFlowStruct *) 0xa5ac888
>         ptr = 0x9af81ca ""
>         value = 0
> #2  0x08056147 in ArgusEtherPacket (user=0xb7e8d008 "", h=0xbfc8db90,
>     p=0x9af81ca "") at ArgusSource.c:683
>         ep = (struct ether_header *) 0x9af81ca
>         ind = 0
>         src = (struct ArgusSourceStruct *) 0xb7e8d008
>         tvp = (struct timeval *) 0xbfc8db90
>         caplen = 90
>         length = 90
>         statbuf = {st_dev = 578105710815534056, __pad1 = 29384,
>   __st_ino = 3217611520, st_mode = 3217611656, st_nlink = 1275960740,
>   st_uid = 3086090240, st_gid = 1935745139, st_rdev =  
> 5480000866624733183,
>   __pad2 = 58336, st_size = -4627207617905117432, st_blksize =  
> 1275861536,
>   st_blocks = -5192083019272100456, st_atim = {tv_sec = 1, tv_nsec  
> = 1},
>   st_mtim = {tv_sec = 0, tv_nsec = 13158026}, st_ctim = {tv_sec =  
> 13152256,
>     tv_nsec = 164972}, st_ino = 57196527433391524}
> #3  0x00c90517 in pcap_open_live () from /usr/lib/libpcap.so.0.9.4
> No symbol table info available.
> #4  0x00c90987 in pcap_dispatch () from /usr/lib/libpcap.so.0.9.4
> No symbol table info available.
> #5  0x080581ad in ArgusGetPackets (src=0xb7e8d008) at ArgusSource.c: 
> 1730
>         ArgusReadMask = {__fds_bits = {128, 0 <repeats 31 times>}}
>         ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>         ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>         tmp = 1
>         i = 0
>         width = 7
>         noerror = 1
>         fd = 7
>         found = 1
>         up = 1
>         wait = {tv_sec = 0, tv_usec = 20000}
> #6  0x0804b657 in main (argc=1, argv=0xbfc8dfa4) at argus.c:567
>         commandlinew = 0
>         doconf = 0
>         dodebug = 0
>         i = 1
>         pid = 0
>         tmparg = 0x0
>         filter = 0x0
>         statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 36308341,
>   st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
>   __pad2 = 0, st_size = 11791, st_blksize = 4096, st_blocks = 32,  
> st_atim = {
>     tv_sec = 1189185984, tv_nsec = 0}, st_mtim = {tv_sec = 1189185984,
>     tv_nsec = 0}, st_ctim = {tv_sec = 1189185984, tv_nsec = 0},
>   st_ino = 36308341}
>         op = -1
>         commandlinei = 0
>         path = "/etc/argus.conf\000argus", '\0' <repeats 8170 times>
>
> -Mike
>



More information about the argus mailing list