segv in argus with latest pf_fring enabled lipcap

Carter Bullard carter at qosient.com
Mon Jul 7 12:00:48 EDT 2008 

Hey Will,
Maybe an alignment problem. What happens when
you print the ip header in gdb?

(gdb) print ip
(gdb) print *ip

you may need to remove the -O directive in the ./argus/Makefile
so that gdb doesn't optimize out the local variables, so we can
see what argus has done.

So what kind of machine is this?

Carter

On Jul 7, 2008, at 11:07 AM, Will Metcalf wrote:

> I updated to the latest version of pf_ring enabled libpcap, which
> implements the ability to set a per process bucket len that is based
> on caplen from libpcap.  When compiling Argus against this lib it
> segv's after logging a couple of flows Anybody have any ideas?
> Regards,
>
> Will
>
>
>
> gdb /usr/sbin/argus core.4729
> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i386-redhat-linux-gnu"...Using host
> libthread_db library "/lib/libthread_db.so.1".
>
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
> Loaded symbols for /usr/lib/libpcap.so.0.9.7
> Reading symbols from /usr/lib/libpfring.so...done.
> Loaded symbols for /usr/lib/libpfring.so
> Reading symbols from /lib/libpthread.so.0...done.
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /usr/lib/libwrap.so.0...done.
> Loaded symbols for /usr/lib/libwrap.so.0
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Core was generated by `/usr/sbin/argus -d -J -w
> /var/log/argusoutput.ra -i eth0'.
> Program terminated with signal 11, Segmentation fault.
> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c: 
> 3627
> 3627       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
> (ip->ip_hl << 2));
> (gdb) bt full
> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c: 
> 3627
>       nxtHdr = <value optimized out>
>       sport = <value optimized out>
>       dport = <value optimized out>
>       proto = <value optimized out>
>       len = <value optimized out>
>       hlen = <value optimized out>
>       ArgusOptionLen = <value optimized out>
> #1  0x08053273 in ArgusProcessPacket (src=0xb7ea8008, p=0x8bdf2f0
> "������", length=251, tvp=0xbffd8344, type=-1) at  
> ArgusModeler.c:1257
>       tsbuf = {tv_sec = 1953653108, tv_nsec = -1073904964}
>       tdiff = 4294967392
>       rtdiff = <value optimized out>
>       tvalue = <value optimized out>
>       model = (struct ArgusModelerStruct *) 0x8bde008
>       flow = <value optimized out>
>       nflow = <value optimized out>
>       ptr = 0x8bdf2f0 "������"
>       value = 0
>       retn = <value optimized out>
> #2  0x080554de in ArgusEtherPacket (user=0xb7ea8008 "", h=0x8bdf2c4,
> p=0x8bdf2f0 "������") at ArgusSource.c:716
>       caplen = 96
>       length = 251
>       tvpbuf = {tv_sec = 1215442055, tv_usec = 648975}
>       statbuf = {st_dev = 65522, __pad1 = 0, __st_ino = 0, st_mode =
> 0, st_nlink = 0, st_uid = 469434368, st_gid = 4327000, st_rdev =
> 18344976773382976, __pad2 = 2064, st_size = 4294967296,
> st_blksize = 107793408, st_blocks = 4147592, st_atim = {tv_sec = 0,
> tv_nsec = -1073904808}, st_mtim = {tv_sec = 4003570, tv_nsec =
> 146665712}, st_ctim = {tv_sec = 1, tv_nsec = 4001120},
> st_ino = 13834360246576710476}
> #3  0x08056f38 in ArgusGetPackets (src=0xb7ea8008) at ArgusSource.c: 
> 2139
>       pkt_data = (const u_char *) 0x8bdf2f0 "������"
>       pkts = 840
>       cnt = 1
>       header = (struct pcap_pkthdr *) 0x8bdf2c4
>       retn = <value optimized out>
>       ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>       ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>       ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>       tmp = <value optimized out>
>       i = 0
>       width = 1
>       noerror = 1
>       fd = <value optimized out>
>       found = 1
>       up = 1
>       notselectable = 0
>       fds = {1, -1, -1, -1, -1}
>       wait = {tv_sec = 0, tv_usec = 0}
> #4  0x0804c422 in main (argc=7, argv=0xbffd8ab4) at argus.c:530
>       eptr = 0x7 <Address 0x7 out of bounds>
>       ptr = 0xb7f3c708 "�\aB"
>       commandlinew = 1
>       doconf = 0
>       i = 7
>       pid = <value optimized out>
>       tmparg = <value optimized out>
>       filter = <value optimized out>
> ---Type <return> to continue, or q <return> to quit---
>       statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 43156691,
> st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
> __pad2 = 0, st_size = 12807, st_blksize = 4096, st_blocks = 40,
> st_atim = {tv_sec = 1215441879, tv_nsec = 0}, st_mtim = {tv_sec =
> 1215122542, tv_nsec = 0}, st_ctim = {tv_sec = 1215122628, tv_nsec =
> 0}, st_ino = 43156691}
>       op = <value optimized out>
>       commandlinei = 1
>       path = "/etc/argus.conf", '\0' <repeats 8176 times>
> #5  0x00438dec in __libc_start_main () from /lib/libc.so.6
> No symbol table info available.
> #6  0x0804a4b1 in _start ()
> No symbol table info available.
> (gdb)

More information about the argus mailing list