Another segv in ArgusCreateIPv4Flow?

Carter Bullard carter at qosient.com
Tue Feb 24 10:35:38 EST 2009 

Hey Jonathan,
Thanks!!!!!!    When I release the new clients,
I'll push a minor update for argus() that has the patch in it.

Sorry for the inconvenience,

Carter

On Feb 24, 2009, at 10:05 AM, Jonathan Towne wrote:

> Carter,
>
> For what its worth; I had to use this patch on an OpenBSD 4.4/amd64  
> machine
> when monitoring a gif(4) interface for a VPN.. Otherwise, identical  
> crash.
>
> (Using 3.0.0 from the FTP as of last night)
>
> -- Jonathan Towne
>
>
> On Fri, Jul 18, 2008 at 11:15:28AM -0400, Carter Bullard scribbled:
> # Hey David,
> # Lots of questions to ask, like the machine, architecture (seems like
> # its 64-bit), what kind of interface are you capturing from, and what
> # kind of
> # packets are you expecting?   Normally we'd all need that kind of  
> info,
> # but.....
> #
> # From your gdb dump, I think I see the problem.
> #
> # Looks to me that ArgusProcessIpPacket() is getting good data, but  
> its
> # not updating the ArgusThisIpHdr field in ArgusModel, as this value
> # is empty.
> #
> # Because your line numbers are so pretty far off from my source tree,
> # make this change and tell me if it worked for you.
> #
> # Modify this line in ArgusProcessIpPacket() (+26 lines from the  
> start)
> #
> #       model->ArgusThisUpHdr = (unsigned char *)ip;
> #
> # to
> #       model->ArgusThisIpHdr = (unsigned char *)ip;
> #
> # and lets see if that makes a difference!!!   If so, I'll add it to  
> the
> # argus-3.0.1.beta.1 distibution code.
> #
> # And thanks for sending mail!!!!
> #
> # Carter
> #
> # On Jul 18, 2008, at 6:23 AM, David wrote:
> #
> # >I have just read the earlier thread with a segfault in
> # >ArgusCreateIPv4Flow().  I have modified the code section mentioned
> # >there but I still get the same results.
> # >
> # >I'm no expert with gdb but I managed to compile and grab a
> # >backtrace.  I edited argus/Makefile and replaced the optimisation
> # >with -ggdb, is there a better way to enable debug?
> # >
> # >Below is the backtrace.  In order to share the capture files I'd
> # >have to sanitise out data.  I am happy to debug and play with the
> # >source as necessary though.
> # >
> # >david at fish ~/tmp/argus/argus-3.0.0 $ gdb bin/argus
> # >GNU gdb 6.7.1
> # >Copyright (C) 2007 Free Software Foundation, Inc.
> # >License GPLv3+: GNU GPL version 3 or later
> # ><http://gnu.org/licenses/gpl.html >
> # >This is free software: you are free to change and redistribute it.
> # >There is NO WARRANTY, to the extent permitted by law.  Type "show
> # >copying"
> # >and "show warranty" for details.
> # >This GDB was configured as "i686-pc-linux-gnu"...
> # >Using host libthread_db library "/lib/libthread_db.so.1".
> # >(gdb) run -r /home/david/tmp/test.pcap
> # >Starting program: /home/david/tmp/argus/argus-3.0.0/bin/argus -r /
> # >home/david/tmp/test.pcap
> # >
> # >Program received signal SIGSEGV, Segmentation fault.
> # >0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at
> # >ArgusModeler.c:3632
> # >3632       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
> # >(ip->ip_hl << 2));
> # >(gdb) bt full
> # >#0  0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at
> # >ArgusModeler.c:3632
> # >       retn = (void *) 0x8134418
> # >       nxtHdr = (unsigned char *) 0x10000000 <Address 0x10000000  
> out
> # >of bounds>
> # >       sport = 47097
> # >       dport = 4096
> # >       proto = 0 '\0'
> # >       tp_p = 0 '\0'
> # >       len = 0
> # >       hlen = 0
> # >       ArgusOptionLen = 0
> # >#1  0x08050634 in ArgusCreateFlow (model=0x8134008, ptr=0x813494c,
> # >length=78) at ArgusModeler.c:1555
> # >       retn = (void *) 0x8134418
> # >       ep = (struct ether_header *) 0x813494c
> # >       keys = 1
> # >       index = 1
> # >       i = 0
> # >#2  0x0804fccc in ArgusProcessIpPacket (model=0x8134008,
> # >ip=0x813494c, length=78, tvp=0xbfe4927c) at ArgusModeler.c:1361
> # >       retn = 0
> # >       pass = 1
> # >       flow = (struct ArgusFlowStruct *) 0x1
> # >       nflow = (struct ArgusFlowStruct *) 0xbb
> # >       tflow = (struct ArgusSystemFlow *) 0x0
> # >#3  0x08059992 in ArgusIpPacket (user=0xb7d64008 "", h=0xbfe492ec,
> # >p=0x813494c "E") at ArgusSource.c:1403
> # >       src = (struct ArgusSourceStruct *) 0xb7d64008
> # >       tvpbuf = {tv_sec = 1211532660, tv_usec = 393789}
> # >       tvp = (struct timeval *) 0xbfe4927c
> # >       ip = (struct ip *) 0x813494c
> # >       length = 78
> # >       caplen = 78
> # >       statbuf = {st_dev = 13257796500955894428, __pad1 = 1,
> # >__st_ino = 0, st_mode = 3085275911, st_nlink = 135481676, st_uid =
> # >3086700584, st_gid = 78, st_rdev = 339259832066,
> # > __pad2 = 18764, st_size = 338093555700, st_blksize = 78, st_blocks
> # >= -5195550500855704984, st_atim = {tv_sec = 135480824, tv_nsec =
> # >135481676}, st_mtim = {tv_sec = 78,
> # >   tv_nsec = -1075539304}, st_ctim = {tv_sec = -1209733708, tv_nsec
> # >= 135480824}, st_ino = 335142930764}
> # >#4  0xb7f816ee in pcap_offline_read () from /usr/lib/libpcap.so.0
> # >No symbol table info available.
> # >#5  0xb7fd2650 in _r_debug ()
> # >No symbol table info available.
> # >#6  0x00000001 in ?? ()
> # >No symbol table info available.
> # >#7  0xbfe492f0 in ?? ()
> # >No symbol table info available.
> # >#8  0xb7fc46e9 in _dl_fixup () from /lib/ld-linux.so.2
> # >No symbol table info available.
> # >Backtrace stopped: previous frame inner to this frame (corrupt  
> stack?)
> # >(gdb)
> # >
> # >Regards,
> # >
> # >David
> # >
> # >
> # >
> #
>

More information about the argus mailing list