segv in argus with latest pf_fring enabled lipcap
Will Metcalf
william.metcalf at gmail.com
Tue Jul 8 15:00:53 EDT 2008
Seems to work! Thanx again....
Regards,
Will
On Tue, Jul 8, 2008 at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Will,
> Thanks for the packet trace. I found the problem. I was not updating
> the protocol header type properly for IP over LLC packets. You have
> some broadcast netbios-dgm running over an LLC control stream. This
> is not uncommon, and should have been parsed correctly, (and would be
> in some conditions) but the way that it was correcting itself on the next
> pass of the packet header parser, just didn't work in your example.
>
> Give this patch a try. Should solve the problem.
>
> ==== //depot/argus/argus/argus/ArgusModeler.c#61 -
> /home/carter/argus/argus/argus/ArgusModeler.c ====
> 831a832
>> retn = model->ArgusThisNetworkFlowType;
>
> so that you end up with this type of code afterwards:
>
> ==== //depot/argus/argus/argus/ArgusModeler.c#61 -
> /home/carter/argus/argus/argus/ArgusModeler.c ====
> 826-839
> if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap == LLCSAP_SNAP)) {
> if (llc->llcui == LLC_UI) {
> ((unsigned char *)ðer_type)[0] = ((unsigned char
> *)&llc->ethertype)[0];
> ((unsigned char *)ðer_type)[1] = ((unsigned char
> *)&llc->ethertype)[1];
>
> model->ArgusThisNetworkFlowType = ntohs(ether_type);
> retn = model->ArgusThisNetworkFlowType;
>
> model->ArgusThisLength -= sizeof(struct llc);
> model->ArgusSnapLength -= sizeof(struct llc);
> model->ArgusThisUpHdr = (ptr + sizeof(struct llc));
> }
>
> } else {
>
> Send mail to the list if this works for you, and of course if it doesn't
> !!!!!
>
> Carter
>
>
> On Jul 8, 2008, at 10:56 AM, Will Metcalf wrote:
>
>> Here you go... It is from my local lan so I didn't want to cc the
>> list. Thanx again for taking a look at it.
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Jul 8, 2008 at 8:16 AM, Carter Bullard <carter at qosient.com> wrote:
>>>
>>> Hey Will,
>>> Sorry for the delayed response. Can you send me the packet trace that
>>> causes the fault? Somewhere along the line, we're parsing encapsulation
>>> headers, and argus thinks that it has an IP header to formulate a flow
>>> against, but alas the pointer is zero, so we're probably hitting a header
>>> that we're not expecting, or the packet isn't long enough for the header
>>> we expect.
>>>
>>> All fixable. If you can put the packets in
>>> ftp://qosient.com/incoming that
>>> would be great (or email if its not too big).
>>>
>>> Carter
>>>
>>> On Jul 7, 2008, at 4:03 PM, Will Metcalf wrote:
>>>
>>>> yep same thing reading from the tcpdump captured pcap... segv's in the
>>>> same function...
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>>
>>>> gdb ./argus core.25847
>>>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>>> GDB is free software, covered by the GNU General Public License, and you
>>>> are
>>>> welcome to change it and/or distribute copies of it under certain
>>>> conditions.
>>>> Type "show copying" to see the conditions.
>>>> There is absolutely no warranty for GDB. Type "show warranty" for
>>>> details.
>>>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>>>> libthread_db library "/lib/libthread_db.so.1".
>>>>
>>>>
>>>> warning: Can't read pathname for load map: Input/output error.
>>>> Reading symbols from /usr/lib/libpfring.so...done.
>>>> Loaded symbols for /usr/lib/libpfring.so
>>>> Reading symbols from /lib/libpthread.so.0...done.
>>>> Loaded symbols for /lib/libpthread.so.0
>>>> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
>>>> Loaded symbols for /usr/lib/libpcap.so.0.9.7
>>>> Reading symbols from /usr/lib/libwrap.so.0...done.
>>>> Loaded symbols for /usr/lib/libwrap.so.0
>>>> Reading symbols from /lib/libnsl.so.1...done.
>>>> Loaded symbols for /lib/libnsl.so.1
>>>> Reading symbols from /lib/libm.so.6...done.
>>>> Loaded symbols for /lib/libm.so.6
>>>> Reading symbols from /lib/libc.so.6...done.
>>>> Loaded symbols for /lib/libc.so.6
>>>> Reading symbols from /lib/ld-linux.so.2...done.
>>>> Loaded symbols for /lib/ld-linux.so.2
>>>> Core was generated by `argus -r blah.dump -w test.ra'.
>>>> Program terminated with signal 11, Segmentation fault.
>>>> #0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
>>>> ArgusModeler.c:3627
>>>> 3627 unsigned char *nxtHdr = (unsigned char *)((char *)ip +
>>>> (ip->ip_hl << 2));
>>>> (gdb) bt full
>>>> #0 0x08054e41 in ArgusCreateIPv4Flow (model=0x9488008, ip=0x0) at
>>>> ArgusModeler.c:3627
>>>> retn = (void *) 0x9488418
>>>> nxtHdr = (unsigned char *) 0xed <Address 0xed out of bounds>
>>>> sport = 49068
>>>> dport = 4148
>>>> proto = 5 '\005'
>>>> tp_p = 8 '\b'
>>>> len = 155746312
>>>> hlen = 524288
>>>> ArgusOptionLen = 14
>>>> #1 0x0804fb37 in ArgusCreateFlow (model=0x9488008, ptr=0x9488952,
>>>> length=251) at ArgusModeler.c:1550
>>>> retn = (void *) 0x9488418
>>>> ep = (struct ether_header *) 0x9488952
>>>> keys = 1
>>>> index = 1
>>>> i = 0
>>>> #2 0x0804ed6a in ArgusProcessPacket (src=0xb7efd008, p=0x9488952
>>>> "������", length=251, tvp=0xbfaccd10, type=-1) at ArgusModeler.c:1257
>>>> model = (struct ArgusModelerStruct *) 0x9488008
>>>> tflow = (struct ArgusSystemFlow *) 0x0
>>>> flow = (struct ArgusFlowStruct *) 0x949f2a0
>>>> nflow = (struct ArgusFlowStruct *) 0x949fd68
>>>> ptr = 0x9488952 "������"
>>>> value = 0
>>>> retn = 0
>>>> #3 0x08056d7f in ArgusEtherPacket (user=0xb7efd008 "", h=0xbfaccd8c,
>>>> p=0x9488952 "������") at ArgusSource.c:716
>>>> ep = (struct ether_header *) 0x9488952
>>>> ind = 0
>>>> src = (struct ArgusSourceStruct *) 0xb7efd008
>>>> caplen = 96
>>>> length = 251
>>>> tvpbuf = {tv_sec = 1215460610, tv_usec = 882249}
>>>> tvp = (struct timeval *) 0xbfaccd10
>>>> statbuf = {st_dev = 24241980829601792, __pad1 = 34304,
>>>> __st_ino = 155747840, st_mode = 3215772888, st_nlink = 4753709, st_uid
>>>> = 155747840, st_gid = 0, st_rdev = 395142635508, __pad2 = 52480,
>>>> st_size = 668935529949582490, st_blksize = -1208354286, st_blocks =
>>>> 412316860512, st_atim = {tv_sec = 155748690, tv_nsec = 5644276},
>>>> st_mtim = {tv_sec = 96, tv_nsec = 155747840}, st_ctim = {
>>>> tv_sec = -1079194348, tv_nsec = 4748488}, st_ino = 668935530100590080}
>>>> #4 0x003de4d9 in pcap_offline_read () from /usr/lib/libpcap.so.0.9.7
>>>> No symbol table info available.
>>>> #5 0x0805a2b9 in ArgusGetPackets (src=0xb7efd008) at ArgusSource.c:2212
>>>> ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>>>> ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>>>> ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>>>> tmp = 5644276
>>>> i = 0
>>>> width = 0
>>>> noerror = 1
>>>> fd = 1
>>>> found = 1
>>>> up = 0
>>>> notselectable = 0
>>>> fds = {-1, -1, -1, -1, -1}
>>>> wait = {tv_sec = 0, tv_usec = 200000}
>>>> #6 0x0804b918 in main (argc=5, argv=0xbfacd5a4) at argus.c:530
>>>> commandlinew = 1
>>>> doconf = 0
>>>> ---Type <return> to continue, or q <return> to quit---
>>>> dodebug = 0
>>>> i = 5
>>>> pid = 0
>>>> tmparg = 0xbfacdbfd "test.ra"
>>>> filter = 0x0
>>>> statbuf = {st_dev = 0, __pad1 = 0, __st_ino = 5878496, st_mode
>>>> = 2147483648, st_nlink = 3215774996, st_uid = 0, st_gid = 0, st_rdev =
>>>> 0, __pad2 = 54608, st_size = 577748383503091288,
>>>> st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = -163754450,
>>>> tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec =
>>>> 0, tv_nsec = 0}, st_ino = 0}
>>>> op = -1
>>>> commandlinei = 0
>>>> path = "/etc/argus.conf", '\0' <repeats 8176 times>
>>>>
>>>> On Mon, Jul 7, 2008 at 2:46 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
>>>>>
>>>>> On Mon, Jul 07, 2008 at 02:41:08PM -0500, Will Metcalf wrote:
>>>>>>
>>>>>> Unoptimized back trace...
>>>>>>
>>>>>> gdb ./argus core.25572
>>>>>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>>>>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>>>>> GDB is free software, covered by the GNU General Public License, and
>>>>>> you
>>>>>> are
>>>>>> welcome to change it and/or distribute copies of it under certain
>>>>>> conditions.
>>>>>> Type "show copying" to see the conditions.
>>>>>> There is absolutely no warranty for GDB. Type "show warranty" for
>>>>>> details.
>>>>>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>>>>>> libthread_db library "/lib/libthread_db.so.1".
>>>>>>
>>>>> A late thought. If tcpdump works can you do a capture on this same
>>>>> link with tcpdump then feed that through argus and see what happens? If
>>>>> the
>>>>> same fault occurs debugging gets easier (especially if you can release
>>>>> the
>>>>> pcap to Carter) as its reproducable on the same data.
>>>>>
>>>>> Peter Van Epp / Operations and Technical Support
>>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>>
>>>
>>>
>> <blah.dump>
>
>
More information about the argus
mailing list