segv in argus with latest pf_fring enabled lipcap
Will Metcalf
william.metcalf at gmail.com
Mon Jul 7 16:03:14 EDT 2008
yep same thing reading from the tcpdump captured pcap... segv's in the
same function...
Regards,
Will
gdb ./argus core.25847
GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/libthread_db.so.1".
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpfring.so...done.
Loaded symbols for /usr/lib/libpfring.so
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
Loaded symbols for /usr/lib/libpcap.so.0.9.7
Reading symbols from /usr/lib/libwrap.so.0...done.
Loaded symbols for /usr/lib/libwrap.so.0
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `argus -r blah.dump -w test.ra'.
Program terminated with signal 11, Segmentation fault.
#0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
ArgusModeler.c:3627
3627 unsigned char *nxtHdr = (unsigned char *)((char *)ip +
(ip->ip_hl << 2));
(gdb) bt full
#0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
ArgusModeler.c:3627
retn = (void *) 0x9488418
nxtHdr = (unsigned char *) 0xed <Address 0xed out of bounds>
sport = 49068
dport = 4148
proto = 5 '\005'
tp_p = 8 '\b'
len = 155746312
hlen = 524288
ArgusOptionLen = 14
#1 0x0804fb37 in ArgusCreateFlow (model=0x9488008, ptr=0x9488952,
length=251) at ArgusModeler.c:1550
retn = (void *) 0x9488418
ep = (struct ether_header *) 0x9488952
keys = 1
index = 1
i = 0
#2 0x0804ed6a in ArgusProcessPacket (src=0xb7efd008, p=0x9488952
"������", length=251, tvp=0xbfaccd10, type=-1) at ArgusModeler.c:1257
model = (struct ArgusModelerStruct *) 0x9488008
tflow = (struct ArgusSystemFlow *) 0x0
flow = (struct ArgusFlowStruct *) 0x949f2a0
nflow = (struct ArgusFlowStruct *) 0x949fd68
ptr = 0x9488952 "������"
value = 0
retn = 0
#3 0x08056d7f in ArgusEtherPacket (user=0xb7efd008 "", h=0xbfaccd8c,
p=0x9488952 "������") at ArgusSource.c:716
ep = (struct ether_header *) 0x9488952
ind = 0
src = (struct ArgusSourceStruct *) 0xb7efd008
caplen = 96
length = 251
tvpbuf = {tv_sec = 1215460610, tv_usec = 882249}
tvp = (struct timeval *) 0xbfaccd10
statbuf = {st_dev = 24241980829601792, __pad1 = 34304,
__st_ino = 155747840, st_mode = 3215772888, st_nlink = 4753709, st_uid
= 155747840, st_gid = 0, st_rdev = 395142635508, __pad2 = 52480,
st_size = 668935529949582490, st_blksize = -1208354286, st_blocks =
412316860512, st_atim = {tv_sec = 155748690, tv_nsec = 5644276},
st_mtim = {tv_sec = 96, tv_nsec = 155747840}, st_ctim = {
tv_sec = -1079194348, tv_nsec = 4748488}, st_ino = 668935530100590080}
#4 0x003de4d9 in pcap_offline_read () from /usr/lib/libpcap.so.0.9.7
No symbol table info available.
#5 0x0805a2b9 in ArgusGetPackets (src=0xb7efd008) at ArgusSource.c:2212
ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
tmp = 5644276
i = 0
width = 0
noerror = 1
fd = 1
found = 1
up = 0
notselectable = 0
fds = {-1, -1, -1, -1, -1}
wait = {tv_sec = 0, tv_usec = 200000}
#6 0x0804b918 in main (argc=5, argv=0xbfacd5a4) at argus.c:530
commandlinew = 1
doconf = 0
---Type <return> to continue, or q <return> to quit---
dodebug = 0
i = 5
pid = 0
tmparg = 0xbfacdbfd "test.ra"
filter = 0x0
statbuf = {st_dev = 0, __pad1 = 0, __st_ino = 5878496, st_mode
= 2147483648, st_nlink = 3215774996, st_uid = 0, st_gid = 0, st_rdev =
0, __pad2 = 54608, st_size = 577748383503091288,
st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = -163754450,
tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec =
0, tv_nsec = 0}, st_ino = 0}
op = -1
commandlinei = 0
path = "/etc/argus.conf", '\0' <repeats 8176 times>
On Mon, Jul 7, 2008 at 2:46 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
> On Mon, Jul 07, 2008 at 02:41:08PM -0500, Will Metcalf wrote:
>> Unoptimized back trace...
>>
>> gdb ./argus core.25572
>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>> libthread_db library "/lib/libthread_db.so.1".
>>
> A late thought. If tcpdump works can you do a capture on this same
> link with tcpdump then feed that through argus and see what happens? If the
> same fault occurs debugging gets easier (especially if you can release the
> pcap to Carter) as its reproducable on the same data.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
More information about the argus
mailing list