Another segv in ArgusCreateIPv4Flow?

Carter Bullard carter at qosient.com
Fri Jul 18 11:15:28 EDT 2008 

Hey David,
Lots of questions to ask, like the machine, architecture (seems like
its 64-bit), what kind of interface are you capturing from, and what  
kind of
packets are you expecting?   Normally we'd all need that kind of info,  
but.....

 From your gdb dump, I think I see the problem.

Looks to me that ArgusProcessIpPacket() is getting good data, but its
not updating the ArgusThisIpHdr field in ArgusModel, as this value
is empty.

Because your line numbers are so pretty far off from my source tree,
make this change and tell me if it worked for you.

Modify this line in ArgusProcessIpPacket() (+26 lines from the start)

       model->ArgusThisUpHdr = (unsigned char *)ip;

to
       model->ArgusThisIpHdr = (unsigned char *)ip;

and lets see if that makes a difference!!!   If so, I'll add it to the
argus-3.0.1.beta.1 distibution code.

And thanks for sending mail!!!!

Carter

On Jul 18, 2008, at 6:23 AM, David wrote:

> I have just read the earlier thread with a segfault in  
> ArgusCreateIPv4Flow().  I have modified the code section mentioned  
> there but I still get the same results.
>
> I'm no expert with gdb but I managed to compile and grab a  
> backtrace.  I edited argus/Makefile and replaced the optimisation  
> with -ggdb, is there a better way to enable debug?
>
> Below is the backtrace.  In order to share the capture files I'd  
> have to sanitise out data.  I am happy to debug and play with the  
> source as necessary though.
>
> david at fish ~/tmp/argus/argus-3.0.0 $ gdb bin/argus
> GNU gdb 6.7.1
> Copyright (C) 2007 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html 
> >
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show  
> copying"
> and "show warranty" for details.
> This GDB was configured as "i686-pc-linux-gnu"...
> Using host libthread_db library "/lib/libthread_db.so.1".
> (gdb) run -r /home/david/tmp/test.pcap
> Starting program: /home/david/tmp/argus/argus-3.0.0/bin/argus -r / 
> home/david/tmp/test.pcap
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at  
> ArgusModeler.c:3632
> 3632       unsigned char *nxtHdr = (unsigned char *)((char *)ip +  
> (ip->ip_hl << 2));
> (gdb) bt full
> #0  0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at  
> ArgusModeler.c:3632
>        retn = (void *) 0x8134418
>        nxtHdr = (unsigned char *) 0x10000000 <Address 0x10000000 out  
> of bounds>
>        sport = 47097
>        dport = 4096
>        proto = 0 '\0'
>        tp_p = 0 '\0'
>        len = 0
>        hlen = 0
>        ArgusOptionLen = 0
> #1  0x08050634 in ArgusCreateFlow (model=0x8134008, ptr=0x813494c,  
> length=78) at ArgusModeler.c:1555
>        retn = (void *) 0x8134418
>        ep = (struct ether_header *) 0x813494c
>        keys = 1
>        index = 1
>        i = 0
> #2  0x0804fccc in ArgusProcessIpPacket (model=0x8134008,  
> ip=0x813494c, length=78, tvp=0xbfe4927c) at ArgusModeler.c:1361
>        retn = 0
>        pass = 1
>        flow = (struct ArgusFlowStruct *) 0x1
>        nflow = (struct ArgusFlowStruct *) 0xbb
>        tflow = (struct ArgusSystemFlow *) 0x0
> #3  0x08059992 in ArgusIpPacket (user=0xb7d64008 "", h=0xbfe492ec,  
> p=0x813494c "E") at ArgusSource.c:1403
>        src = (struct ArgusSourceStruct *) 0xb7d64008
>        tvpbuf = {tv_sec = 1211532660, tv_usec = 393789}
>        tvp = (struct timeval *) 0xbfe4927c
>        ip = (struct ip *) 0x813494c
>        length = 78
>        caplen = 78
>        statbuf = {st_dev = 13257796500955894428, __pad1 = 1,  
> __st_ino = 0, st_mode = 3085275911, st_nlink = 135481676, st_uid =  
> 3086700584, st_gid = 78, st_rdev = 339259832066,
>  __pad2 = 18764, st_size = 338093555700, st_blksize = 78, st_blocks  
> = -5195550500855704984, st_atim = {tv_sec = 135480824, tv_nsec =  
> 135481676}, st_mtim = {tv_sec = 78,
>    tv_nsec = -1075539304}, st_ctim = {tv_sec = -1209733708, tv_nsec  
> = 135480824}, st_ino = 335142930764}
> #4  0xb7f816ee in pcap_offline_read () from /usr/lib/libpcap.so.0
> No symbol table info available.
> #5  0xb7fd2650 in _r_debug ()
> No symbol table info available.
> #6  0x00000001 in ?? ()
> No symbol table info available.
> #7  0xbfe492f0 in ?? ()
> No symbol table info available.
> #8  0xb7fc46e9 in _dl_fixup () from /lib/ld-linux.so.2
> No symbol table info available.
> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
> (gdb)
>
> Regards,
>
> David
>
>
>

More information about the argus mailing list