segv in argus with latest pf_fring enabled lipcap
Will Metcalf
william.metcalf at gmail.com
Mon Jul 7 13:09:54 EDT 2008
I will have to recompile to get you the unoptimized output. The
machine is CentOS5.2 with a pf_ring enabled kernel, and pf_ring
enabled libpcap. http://www.ntop.org/PF_RING.html I should have
stated earlier that snort, daemonlogger ,and ntop all work ok compiled
against this lib :-(....
(gdb) print ip
$1 = (struct ip *) 0x0
(gdb) print *ip
Cannot access memory at address 0x0
(gdb)
On Mon, Jul 7, 2008 at 11:00 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Will,
> Maybe an alignment problem. What happens when
> you print the ip header in gdb?
>
> (gdb) print ip
> (gdb) print *ip
>
> you may need to remove the -O directive in the ./argus/Makefile
> so that gdb doesn't optimize out the local variables, so we can
> see what argus has done.
>
> So what kind of machine is this?
>
> Carter
>
> On Jul 7, 2008, at 11:07 AM, Will Metcalf wrote:
>
>> I updated to the latest version of pf_ring enabled libpcap, which
>> implements the ability to set a per process bucket len that is based
>> on caplen from libpcap. When compiling Argus against this lib it
>> segv's after logging a couple of flows Anybody have any ideas?
>> Regards,
>>
>> Will
>>
>>
>>
>> gdb /usr/sbin/argus core.4729
>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you
>> are
>> welcome to change it and/or distribute copies of it under certain
>> conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for
>> details.
>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>> libthread_db library "/lib/libthread_db.so.1".
>>
>>
>> warning: Can't read pathname for load map: Input/output error.
>> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
>> Loaded symbols for /usr/lib/libpcap.so.0.9.7
>> Reading symbols from /usr/lib/libpfring.so...done.
>> Loaded symbols for /usr/lib/libpfring.so
>> Reading symbols from /lib/libpthread.so.0...done.
>> Loaded symbols for /lib/libpthread.so.0
>> Reading symbols from /usr/lib/libwrap.so.0...done.
>> Loaded symbols for /usr/lib/libwrap.so.0
>> Reading symbols from /lib/libnsl.so.1...done.
>> Loaded symbols for /lib/libnsl.so.1
>> Reading symbols from /lib/libm.so.6...done.
>> Loaded symbols for /lib/libm.so.6
>> Reading symbols from /lib/libc.so.6...done.
>> Loaded symbols for /lib/libc.so.6
>> Reading symbols from /lib/ld-linux.so.2...done.
>> Loaded symbols for /lib/ld-linux.so.2
>> Reading symbols from /lib/libnss_files.so.2...done.
>> Loaded symbols for /lib/libnss_files.so.2
>> Core was generated by `/usr/sbin/argus -d -J -w
>> /var/log/argusoutput.ra -i eth0'.
>> Program terminated with signal 11, Segmentation fault.
>> #0 ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
>> 3627 unsigned char *nxtHdr = (unsigned char *)((char *)ip +
>> (ip->ip_hl << 2));
>> (gdb) bt full
>> #0 ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
>> nxtHdr = <value optimized out>
>> sport = <value optimized out>
>> dport = <value optimized out>
>> proto = <value optimized out>
>> len = <value optimized out>
>> hlen = <value optimized out>
>> ArgusOptionLen = <value optimized out>
>> #1 0x08053273 in ArgusProcessPacket (src=0xb7ea8008, p=0x8bdf2f0
>> "������", length=251, tvp=0xbffd8344, type=-1) at ArgusModeler.c:1257
>> tsbuf = {tv_sec = 1953653108, tv_nsec = -1073904964}
>> tdiff = 4294967392
>> rtdiff = <value optimized out>
>> tvalue = <value optimized out>
>> model = (struct ArgusModelerStruct *) 0x8bde008
>> flow = <value optimized out>
>> nflow = <value optimized out>
>> ptr = 0x8bdf2f0 "������"
>> value = 0
>> retn = <value optimized out>
>> #2 0x080554de in ArgusEtherPacket (user=0xb7ea8008 "", h=0x8bdf2c4,
>> p=0x8bdf2f0 "������") at ArgusSource.c:716
>> caplen = 96
>> length = 251
>> tvpbuf = {tv_sec = 1215442055, tv_usec = 648975}
>> statbuf = {st_dev = 65522, __pad1 = 0, __st_ino = 0, st_mode =
>> 0, st_nlink = 0, st_uid = 469434368, st_gid = 4327000, st_rdev =
>> 18344976773382976, __pad2 = 2064, st_size = 4294967296,
>> st_blksize = 107793408, st_blocks = 4147592, st_atim = {tv_sec = 0,
>> tv_nsec = -1073904808}, st_mtim = {tv_sec = 4003570, tv_nsec =
>> 146665712}, st_ctim = {tv_sec = 1, tv_nsec = 4001120},
>> st_ino = 13834360246576710476}
>> #3 0x08056f38 in ArgusGetPackets (src=0xb7ea8008) at ArgusSource.c:2139
>> pkt_data = (const u_char *) 0x8bdf2f0 "������"
>> pkts = 840
>> cnt = 1
>> header = (struct pcap_pkthdr *) 0x8bdf2c4
>> retn = <value optimized out>
>> ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>> ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>> ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>> tmp = <value optimized out>
>> i = 0
>> width = 1
>> noerror = 1
>> fd = <value optimized out>
>> found = 1
>> up = 1
>> notselectable = 0
>> fds = {1, -1, -1, -1, -1}
>> wait = {tv_sec = 0, tv_usec = 0}
>> #4 0x0804c422 in main (argc=7, argv=0xbffd8ab4) at argus.c:530
>> eptr = 0x7 <Address 0x7 out of bounds>
>> ptr = 0xb7f3c708 "�\aB"
>> commandlinew = 1
>> doconf = 0
>> i = 7
>> pid = <value optimized out>
>> tmparg = <value optimized out>
>> filter = <value optimized out>
>> ---Type <return> to continue, or q <return> to quit---
>> statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 43156691,
>> st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
>> __pad2 = 0, st_size = 12807, st_blksize = 4096, st_blocks = 40,
>> st_atim = {tv_sec = 1215441879, tv_nsec = 0}, st_mtim = {tv_sec =
>> 1215122542, tv_nsec = 0}, st_ctim = {tv_sec = 1215122628, tv_nsec =
>> 0}, st_ino = 43156691}
>> op = <value optimized out>
>> commandlinei = 1
>> path = "/etc/argus.conf", '\0' <repeats 8176 times>
>> #5 0x00438dec in __libc_start_main () from /lib/libc.so.6
>> No symbol table info available.
>> #6 0x0804a4b1 in _start ()
>> No symbol table info available.
>> (gdb)
>
>
More information about the argus
mailing list