Another segv in ArgusCreateIPv4Flow?

Jonathan Towne jontow at hijacked.us
Tue Feb 24 10:05:48 EST 2009 

Carter,

For what its worth; I had to use this patch on an OpenBSD 4.4/amd64 machine
when monitoring a gif(4) interface for a VPN.. Otherwise, identical crash.

(Using 3.0.0 from the FTP as of last night)

-- Jonathan Towne


On Fri, Jul 18, 2008 at 11:15:28AM -0400, Carter Bullard scribbled:
# Hey David,
# Lots of questions to ask, like the machine, architecture (seems like
# its 64-bit), what kind of interface are you capturing from, and what  
# kind of
# packets are you expecting?   Normally we'd all need that kind of info,  
# but.....
# 
# From your gdb dump, I think I see the problem.
# 
# Looks to me that ArgusProcessIpPacket() is getting good data, but its
# not updating the ArgusThisIpHdr field in ArgusModel, as this value
# is empty.
# 
# Because your line numbers are so pretty far off from my source tree,
# make this change and tell me if it worked for you.
# 
# Modify this line in ArgusProcessIpPacket() (+26 lines from the start)
# 
#       model->ArgusThisUpHdr = (unsigned char *)ip;
# 
# to
#       model->ArgusThisIpHdr = (unsigned char *)ip;
# 
# and lets see if that makes a difference!!!   If so, I'll add it to the
# argus-3.0.1.beta.1 distibution code.
# 
# And thanks for sending mail!!!!
# 
# Carter
# 
# On Jul 18, 2008, at 6:23 AM, David wrote:
# 
# >I have just read the earlier thread with a segfault in  
# >ArgusCreateIPv4Flow().  I have modified the code section mentioned  
# >there but I still get the same results.
# >
# >I'm no expert with gdb but I managed to compile and grab a  
# >backtrace.  I edited argus/Makefile and replaced the optimisation  
# >with -ggdb, is there a better way to enable debug?
# >
# >Below is the backtrace.  In order to share the capture files I'd  
# >have to sanitise out data.  I am happy to debug and play with the  
# >source as necessary though.
# >
# >david at fish ~/tmp/argus/argus-3.0.0 $ gdb bin/argus
# >GNU gdb 6.7.1
# >Copyright (C) 2007 Free Software Foundation, Inc.
# >License GPLv3+: GNU GPL version 3 or later 
# ><http://gnu.org/licenses/gpl.html >
# >This is free software: you are free to change and redistribute it.
# >There is NO WARRANTY, to the extent permitted by law.  Type "show  
# >copying"
# >and "show warranty" for details.
# >This GDB was configured as "i686-pc-linux-gnu"...
# >Using host libthread_db library "/lib/libthread_db.so.1".
# >(gdb) run -r /home/david/tmp/test.pcap
# >Starting program: /home/david/tmp/argus/argus-3.0.0/bin/argus -r / 
# >home/david/tmp/test.pcap
# >
# >Program received signal SIGSEGV, Segmentation fault.
# >0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at  
# >ArgusModeler.c:3632
# >3632       unsigned char *nxtHdr = (unsigned char *)((char *)ip +  
# >(ip->ip_hl << 2));
# >(gdb) bt full
# >#0  0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at  
# >ArgusModeler.c:3632
# >       retn = (void *) 0x8134418
# >       nxtHdr = (unsigned char *) 0x10000000 <Address 0x10000000 out  
# >of bounds>
# >       sport = 47097
# >       dport = 4096
# >       proto = 0 '\0'
# >       tp_p = 0 '\0'
# >       len = 0
# >       hlen = 0
# >       ArgusOptionLen = 0
# >#1  0x08050634 in ArgusCreateFlow (model=0x8134008, ptr=0x813494c,  
# >length=78) at ArgusModeler.c:1555
# >       retn = (void *) 0x8134418
# >       ep = (struct ether_header *) 0x813494c
# >       keys = 1
# >       index = 1
# >       i = 0
# >#2  0x0804fccc in ArgusProcessIpPacket (model=0x8134008,  
# >ip=0x813494c, length=78, tvp=0xbfe4927c) at ArgusModeler.c:1361
# >       retn = 0
# >       pass = 1
# >       flow = (struct ArgusFlowStruct *) 0x1
# >       nflow = (struct ArgusFlowStruct *) 0xbb
# >       tflow = (struct ArgusSystemFlow *) 0x0
# >#3  0x08059992 in ArgusIpPacket (user=0xb7d64008 "", h=0xbfe492ec,  
# >p=0x813494c "E") at ArgusSource.c:1403
# >       src = (struct ArgusSourceStruct *) 0xb7d64008
# >       tvpbuf = {tv_sec = 1211532660, tv_usec = 393789}
# >       tvp = (struct timeval *) 0xbfe4927c
# >       ip = (struct ip *) 0x813494c
# >       length = 78
# >       caplen = 78
# >       statbuf = {st_dev = 13257796500955894428, __pad1 = 1,  
# >__st_ino = 0, st_mode = 3085275911, st_nlink = 135481676, st_uid =  
# >3086700584, st_gid = 78, st_rdev = 339259832066,
# > __pad2 = 18764, st_size = 338093555700, st_blksize = 78, st_blocks  
# >= -5195550500855704984, st_atim = {tv_sec = 135480824, tv_nsec =  
# >135481676}, st_mtim = {tv_sec = 78,
# >   tv_nsec = -1075539304}, st_ctim = {tv_sec = -1209733708, tv_nsec  
# >= 135480824}, st_ino = 335142930764}
# >#4  0xb7f816ee in pcap_offline_read () from /usr/lib/libpcap.so.0
# >No symbol table info available.
# >#5  0xb7fd2650 in _r_debug ()
# >No symbol table info available.
# >#6  0x00000001 in ?? ()
# >No symbol table info available.
# >#7  0xbfe492f0 in ?? ()
# >No symbol table info available.
# >#8  0xb7fc46e9 in _dl_fixup () from /lib/ld-linux.so.2
# >No symbol table info available.
# >Backtrace stopped: previous frame inner to this frame (corrupt stack?)
# >(gdb)
# >
# >Regards,
# >
# >David
# >
# >
# >
#

More information about the argus mailing list