segv in argus with latest pf_fring enabled lipcap

Carter Bullard carter at qosient.com
Tue Jul 8 09:16:27 EDT 2008 

Hey Will,
Sorry for the delayed response.  Can  you send me the packet trace that
causes the fault?   Somewhere along the line, we're parsing  
encapsulation
headers, and argus thinks that it has an IP header to formulate a flow
against, but alas the pointer is zero, so we're probably hitting a  
header
that we're not expecting, or the packet isn't long enough for the header
we expect.

All fixable.  If you can put the packets in ftp://qosient.com/incoming  
that
would be great (or email if its not too big).

Carter

On Jul 7, 2008, at 4:03 PM, Will Metcalf wrote:

> yep same thing reading from the tcpdump captured pcap... segv's in the
> same function...
>
> Regards,
>
> Will
>
>
> gdb ./argus core.25847
> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i386-redhat-linux-gnu"...Using host
> libthread_db library "/lib/libthread_db.so.1".
>
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /usr/lib/libpfring.so...done.
> Loaded symbols for /usr/lib/libpfring.so
> Reading symbols from /lib/libpthread.so.0...done.
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
> Loaded symbols for /usr/lib/libpcap.so.0.9.7
> Reading symbols from /usr/lib/libwrap.so.0...done.
> Loaded symbols for /usr/lib/libwrap.so.0
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Core was generated by `argus -r blah.dump -w test.ra'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
> ArgusModeler.c:3627
> 3627       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
> (ip->ip_hl << 2));
> (gdb) bt full
> #0  0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
> ArgusModeler.c:3627
>        retn = (void *) 0x9488418
>        nxtHdr = (unsigned char *) 0xed <Address 0xed out of bounds>
>        sport = 49068
>        dport = 4148
>        proto = 5 '\005'
>        tp_p = 8 '\b'
>        len = 155746312
>        hlen = 524288
>        ArgusOptionLen = 14
> #1  0x0804fb37 in ArgusCreateFlow (model=0x9488008, ptr=0x9488952,
> length=251) at ArgusModeler.c:1550
>        retn = (void *) 0x9488418
>        ep = (struct ether_header *) 0x9488952
>        keys = 1
>        index = 1
>        i = 0
> #2  0x0804ed6a in ArgusProcessPacket (src=0xb7efd008, p=0x9488952
> "������", length=251, tvp=0xbfaccd10, type=-1) at  
> ArgusModeler.c:1257
>        model = (struct ArgusModelerStruct *) 0x9488008
>        tflow = (struct ArgusSystemFlow *) 0x0
>        flow = (struct ArgusFlowStruct *) 0x949f2a0
>        nflow = (struct ArgusFlowStruct *) 0x949fd68
>        ptr = 0x9488952 "������"
>        value = 0
>        retn = 0
> #3  0x08056d7f in ArgusEtherPacket (user=0xb7efd008 "", h=0xbfaccd8c,
> p=0x9488952 "������") at ArgusSource.c:716
>        ep = (struct ether_header *) 0x9488952
>        ind = 0
>        src = (struct ArgusSourceStruct *) 0xb7efd008
>        caplen = 96
>        length = 251
>        tvpbuf = {tv_sec = 1215460610, tv_usec = 882249}
>        tvp = (struct timeval *) 0xbfaccd10
>        statbuf = {st_dev = 24241980829601792, __pad1 = 34304,
> __st_ino = 155747840, st_mode = 3215772888, st_nlink = 4753709, st_uid
> = 155747840, st_gid = 0, st_rdev = 395142635508, __pad2 = 52480,
>  st_size = 668935529949582490, st_blksize = -1208354286, st_blocks =
> 412316860512, st_atim = {tv_sec = 155748690, tv_nsec = 5644276},
> st_mtim = {tv_sec = 96, tv_nsec = 155747840}, st_ctim = {
>    tv_sec = -1079194348, tv_nsec = 4748488}, st_ino =  
> 668935530100590080}
> #4  0x003de4d9 in pcap_offline_read () from /usr/lib/libpcap.so.0.9.7
> No symbol table info available.
> #5  0x0805a2b9 in ArgusGetPackets (src=0xb7efd008) at ArgusSource.c: 
> 2212
>        ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>        ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>        ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>        tmp = 5644276
>        i = 0
>        width = 0
>        noerror = 1
>        fd = 1
>        found = 1
>        up = 0
>        notselectable = 0
>        fds = {-1, -1, -1, -1, -1}
>        wait = {tv_sec = 0, tv_usec = 200000}
> #6  0x0804b918 in main (argc=5, argv=0xbfacd5a4) at argus.c:530
>        commandlinew = 1
>        doconf = 0
> ---Type <return> to continue, or q <return> to quit---
>        dodebug = 0
>        i = 5
>        pid = 0
>        tmparg = 0xbfacdbfd "test.ra"
>        filter = 0x0
>        statbuf = {st_dev = 0, __pad1 = 0, __st_ino = 5878496, st_mode
> = 2147483648, st_nlink = 3215774996, st_uid = 0, st_gid = 0, st_rdev =
> 0, __pad2 = 54608, st_size = 577748383503091288,
>  st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = -163754450,
> tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec =
> 0, tv_nsec = 0}, st_ino = 0}
>        op = -1
>        commandlinei = 0
>        path = "/etc/argus.conf", '\0' <repeats 8176 times>
>
> On Mon, Jul 7, 2008 at 2:46 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
>> On Mon, Jul 07, 2008 at 02:41:08PM -0500, Will Metcalf wrote:
>>> Unoptimized back trace...
>>>
>>> gdb ./argus core.25572
>>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>> GDB is free software, covered by the GNU General Public License,  
>>> and you are
>>> welcome to change it and/or distribute copies of it under certain  
>>> conditions.
>>> Type "show copying" to see the conditions.
>>> There is absolutely no warranty for GDB.  Type "show warranty" for  
>>> details.
>>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>>> libthread_db library "/lib/libthread_db.so.1".
>>>
>>       A late thought. If tcpdump works can you do a capture on this  
>> same
>> link with tcpdump then feed that through argus and see what  
>> happens? If the
>> same fault occurs debugging gets easier (especially if you can  
>> release the
>> pcap to Carter) as its reproducable on the same data.
>>
>> Peter Van Epp / Operations and Technical Support
>> Simon Fraser University, Burnaby, B.C. Canada
>>

More information about the argus mailing list