segv in argus with latest pf_fring enabled lipcap
Carter Bullard
carter at qosient.com
Tue Jul 8 11:49:10 EDT 2008
Hey Will,
Thanks for the packet trace. I found the problem. I was not updating
the protocol header type properly for IP over LLC packets. You have
some broadcast netbios-dgm running over an LLC control stream. This
is not uncommon, and should have been parsed correctly, (and would be
in some conditions) but the way that it was correcting itself on the
next
pass of the packet header parser, just didn't work in your example.
Give this patch a try. Should solve the problem.
==== //depot/argus/argus/argus/ArgusModeler.c#61 - /home/carter/argus/
argus/argus/ArgusModeler.c ====
831a832
> retn = model->ArgusThisNetworkFlowType;
so that you end up with this type of code afterwards:
==== //depot/argus/argus/argus/ArgusModeler.c#61 - /home/carter/argus/
argus/argus/ArgusModeler.c ====
826-839
if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap ==
LLCSAP_SNAP)) {
if (llc->llcui == LLC_UI) {
((unsigned char *)ðer_type)[0] = ((unsigned char
*)&llc->ethertype)[0];
((unsigned char *)ðer_type)[1] = ((unsigned char
*)&llc->ethertype)[1];
model->ArgusThisNetworkFlowType = ntohs(ether_type);
retn = model->ArgusThisNetworkFlowType;
model->ArgusThisLength -= sizeof(struct llc);
model->ArgusSnapLength -= sizeof(struct llc);
model->ArgusThisUpHdr = (ptr + sizeof(struct llc));
}
} else {
Send mail to the list if this works for you, and of course if it
doesn't !!!!!
Carter
On Jul 8, 2008, at 10:56 AM, Will Metcalf wrote:
> Here you go... It is from my local lan so I didn't want to cc the
> list. Thanx again for taking a look at it.
>
> Regards,
>
> Will
>
> On Tue, Jul 8, 2008 at 8:16 AM, Carter Bullard <carter at qosient.com>
> wrote:
>> Hey Will,
>> Sorry for the delayed response. Can you send me the packet trace
>> that
>> causes the fault? Somewhere along the line, we're parsing
>> encapsulation
>> headers, and argus thinks that it has an IP header to formulate a
>> flow
>> against, but alas the pointer is zero, so we're probably hitting a
>> header
>> that we're not expecting, or the packet isn't long enough for the
>> header
>> we expect.
>>
>> All fixable. If you can put the packets in ftp://qosient.com/incoming
>> that
>> would be great (or email if its not too big).
>>
>> Carter
>>
>> On Jul 7, 2008, at 4:03 PM, Will Metcalf wrote:
>>
>>> yep same thing reading from the tcpdump captured pcap... segv's in
>>> the
>>> same function...
>>>
>>> Regards,
>>>
>>> Will
>>>
>>>
>>> gdb ./argus core.25847
>>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>> GDB is free software, covered by the GNU General Public License,
>>> and you
>>> are
>>> welcome to change it and/or distribute copies of it under certain
>>> conditions.
>>> Type "show copying" to see the conditions.
>>> There is absolutely no warranty for GDB. Type "show warranty" for
>>> details.
>>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>>> libthread_db library "/lib/libthread_db.so.1".
>>>
>>>
>>> warning: Can't read pathname for load map: Input/output error.
>>> Reading symbols from /usr/lib/libpfring.so...done.
>>> Loaded symbols for /usr/lib/libpfring.so
>>> Reading symbols from /lib/libpthread.so.0...done.
>>> Loaded symbols for /lib/libpthread.so.0
>>> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
>>> Loaded symbols for /usr/lib/libpcap.so.0.9.7
>>> Reading symbols from /usr/lib/libwrap.so.0...done.
>>> Loaded symbols for /usr/lib/libwrap.so.0
>>> Reading symbols from /lib/libnsl.so.1...done.
>>> Loaded symbols for /lib/libnsl.so.1
>>> Reading symbols from /lib/libm.so.6...done.
>>> Loaded symbols for /lib/libm.so.6
>>> Reading symbols from /lib/libc.so.6...done.
>>> Loaded symbols for /lib/libc.so.6
>>> Reading symbols from /lib/ld-linux.so.2...done.
>>> Loaded symbols for /lib/ld-linux.so.2
>>> Core was generated by `argus -r blah.dump -w test.ra'.
>>> Program terminated with signal 11, Segmentation fault.
>>> #0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
>>> ArgusModeler.c:3627
>>> 3627 unsigned char *nxtHdr = (unsigned char *)((char *)ip +
>>> (ip->ip_hl << 2));
>>> (gdb) bt full
>>> #0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
>>> ArgusModeler.c:3627
>>> retn = (void *) 0x9488418
>>> nxtHdr = (unsigned char *) 0xed <Address 0xed out of bounds>
>>> sport = 49068
>>> dport = 4148
>>> proto = 5 '\005'
>>> tp_p = 8 '\b'
>>> len = 155746312
>>> hlen = 524288
>>> ArgusOptionLen = 14
>>> #1 0x0804fb37 in ArgusCreateFlow (model=0x9488008, ptr=0x9488952,
>>> length=251) at ArgusModeler.c:1550
>>> retn = (void *) 0x9488418
>>> ep = (struct ether_header *) 0x9488952
>>> keys = 1
>>> index = 1
>>> i = 0
>>> #2 0x0804ed6a in ArgusProcessPacket (src=0xb7efd008, p=0x9488952
>>> "������", length=251, tvp=0xbfaccd10, type=-1) at
>>> ArgusModeler.c:1257
>>> model = (struct ArgusModelerStruct *) 0x9488008
>>> tflow = (struct ArgusSystemFlow *) 0x0
>>> flow = (struct ArgusFlowStruct *) 0x949f2a0
>>> nflow = (struct ArgusFlowStruct *) 0x949fd68
>>> ptr = 0x9488952 "������"
>>> value = 0
>>> retn = 0
>>> #3 0x08056d7f in ArgusEtherPacket (user=0xb7efd008 "",
>>> h=0xbfaccd8c,
>>> p=0x9488952 "������") at ArgusSource.c:716
>>> ep = (struct ether_header *) 0x9488952
>>> ind = 0
>>> src = (struct ArgusSourceStruct *) 0xb7efd008
>>> caplen = 96
>>> length = 251
>>> tvpbuf = {tv_sec = 1215460610, tv_usec = 882249}
>>> tvp = (struct timeval *) 0xbfaccd10
>>> statbuf = {st_dev = 24241980829601792, __pad1 = 34304,
>>> __st_ino = 155747840, st_mode = 3215772888, st_nlink = 4753709,
>>> st_uid
>>> = 155747840, st_gid = 0, st_rdev = 395142635508, __pad2 = 52480,
>>> st_size = 668935529949582490, st_blksize = -1208354286, st_blocks =
>>> 412316860512, st_atim = {tv_sec = 155748690, tv_nsec = 5644276},
>>> st_mtim = {tv_sec = 96, tv_nsec = 155747840}, st_ctim = {
>>> tv_sec = -1079194348, tv_nsec = 4748488}, st_ino =
>>> 668935530100590080}
>>> #4 0x003de4d9 in pcap_offline_read () from /usr/lib/libpcap.so.
>>> 0.9.7
>>> No symbol table info available.
>>> #5 0x0805a2b9 in ArgusGetPackets (src=0xb7efd008) at
>>> ArgusSource.c:2212
>>> ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>>> ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>>> ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>>> tmp = 5644276
>>> i = 0
>>> width = 0
>>> noerror = 1
>>> fd = 1
>>> found = 1
>>> up = 0
>>> notselectable = 0
>>> fds = {-1, -1, -1, -1, -1}
>>> wait = {tv_sec = 0, tv_usec = 200000}
>>> #6 0x0804b918 in main (argc=5, argv=0xbfacd5a4) at argus.c:530
>>> commandlinew = 1
>>> doconf = 0
>>> ---Type <return> to continue, or q <return> to quit---
>>> dodebug = 0
>>> i = 5
>>> pid = 0
>>> tmparg = 0xbfacdbfd "test.ra"
>>> filter = 0x0
>>> statbuf = {st_dev = 0, __pad1 = 0, __st_ino = 5878496, st_mode
>>> = 2147483648, st_nlink = 3215774996, st_uid = 0, st_gid = 0,
>>> st_rdev =
>>> 0, __pad2 = 54608, st_size = 577748383503091288,
>>> st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = -163754450,
>>> tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim =
>>> {tv_sec =
>>> 0, tv_nsec = 0}, st_ino = 0}
>>> op = -1
>>> commandlinei = 0
>>> path = "/etc/argus.conf", '\0' <repeats 8176 times>
>>>
>>> On Mon, Jul 7, 2008 at 2:46 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
>>>>
>>>> On Mon, Jul 07, 2008 at 02:41:08PM -0500, Will Metcalf wrote:
>>>>>
>>>>> Unoptimized back trace...
>>>>>
>>>>> gdb ./argus core.25572
>>>>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>>>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>>>> GDB is free software, covered by the GNU General Public License,
>>>>> and you
>>>>> are
>>>>> welcome to change it and/or distribute copies of it under certain
>>>>> conditions.
>>>>> Type "show copying" to see the conditions.
>>>>> There is absolutely no warranty for GDB. Type "show warranty" for
>>>>> details.
>>>>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>>>>> libthread_db library "/lib/libthread_db.so.1".
>>>>>
>>>> A late thought. If tcpdump works can you do a capture on this
>>>> same
>>>> link with tcpdump then feed that through argus and see what
>>>> happens? If
>>>> the
>>>> same fault occurs debugging gets easier (especially if you can
>>>> release
>>>> the
>>>> pcap to Carter) as its reproducable on the same data.
>>>>
>>>> Peter Van Epp / Operations and Technical Support
>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>
>>
>>
> <blah.dump>
More information about the argus
mailing list