Another segv in ArgusCreateIPv4Flow?

Jonathan Towne jontow at hijacked.us
Tue Feb 24 11:31:27 EST 2009 

No problem, just wanted to help you narrow the condition down a bit;
and I ran into the patch pretty easily anyway!

-- Jonathan Towne


On Tue, Feb 24, 2009 at 10:35:38AM -0500, Carter Bullard scribbled:
# Hey Jonathan,
# Thanks!!!!!!    When I release the new clients,
# I'll push a minor update for argus() that has the patch in it.
# 
# Sorry for the inconvenience,
# 
# Carter
# 
# On Feb 24, 2009, at 10:05 AM, Jonathan Towne wrote:
# 
# >Carter,
# >
# >For what its worth; I had to use this patch on an OpenBSD 4.4/amd64  
# >machine
# >when monitoring a gif(4) interface for a VPN.. Otherwise, identical  
# >crash.
# >
# >(Using 3.0.0 from the FTP as of last night)
# >
# >-- Jonathan Towne
# >
# >
# >On Fri, Jul 18, 2008 at 11:15:28AM -0400, Carter Bullard scribbled:
# ># Hey David,
# ># Lots of questions to ask, like the machine, architecture (seems like
# ># its 64-bit), what kind of interface are you capturing from, and what
# ># kind of
# ># packets are you expecting?   Normally we'd all need that kind of  
# >info,
# ># but.....
# >#
# ># From your gdb dump, I think I see the problem.
# >#
# ># Looks to me that ArgusProcessIpPacket() is getting good data, but  
# >its
# ># not updating the ArgusThisIpHdr field in ArgusModel, as this value
# ># is empty.
# >#
# ># Because your line numbers are so pretty far off from my source tree,
# ># make this change and tell me if it worked for you.
# >#
# ># Modify this line in ArgusProcessIpPacket() (+26 lines from the  
# >start)
# >#
# >#       model->ArgusThisUpHdr = (unsigned char *)ip;
# >#
# ># to
# >#       model->ArgusThisIpHdr = (unsigned char *)ip;
# >#
# ># and lets see if that makes a difference!!!   If so, I'll add it to  
# >the
# ># argus-3.0.1.beta.1 distibution code.
# >#
# ># And thanks for sending mail!!!!
# >#
# ># Carter
# >#
# ># On Jul 18, 2008, at 6:23 AM, David wrote:
# >#
# ># >I have just read the earlier thread with a segfault in
# ># >ArgusCreateIPv4Flow().  I have modified the code section mentioned
# ># >there but I still get the same results.
# ># >
# ># >I'm no expert with gdb but I managed to compile and grab a
# ># >backtrace.  I edited argus/Makefile and replaced the optimisation
# ># >with -ggdb, is there a better way to enable debug?
# ># >
# ># >Below is the backtrace.  In order to share the capture files I'd
# ># >have to sanitise out data.  I am happy to debug and play with the
# ># >source as necessary though.
# ># >
# ># >david at fish ~/tmp/argus/argus-3.0.0 $ gdb bin/argus
# ># >GNU gdb 6.7.1
# ># >Copyright (C) 2007 Free Software Foundation, Inc.
# ># >License GPLv3+: GNU GPL version 3 or later
# ># ><http://gnu.org/licenses/gpl.html >
# ># >This is free software: you are free to change and redistribute it.
# ># >There is NO WARRANTY, to the extent permitted by law.  Type "show
# ># >copying"
# ># >and "show warranty" for details.
# ># >This GDB was configured as "i686-pc-linux-gnu"...
# ># >Using host libthread_db library "/lib/libthread_db.so.1".
# ># >(gdb) run -r /home/david/tmp/test.pcap
# ># >Starting program: /home/david/tmp/argus/argus-3.0.0/bin/argus -r /
# ># >home/david/tmp/test.pcap
# ># >
# ># >Program received signal SIGSEGV, Segmentation fault.
# ># >0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at
# ># >ArgusModeler.c:3632
# ># >3632       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
# ># >(ip->ip_hl << 2));
# ># >(gdb) bt full
# ># >#0  0x08055b29 in ArgusCreateIPv4Flow (model=0x8134008, ip=0x0) at
# ># >ArgusModeler.c:3632
# ># >       retn = (void *) 0x8134418
# ># >       nxtHdr = (unsigned char *) 0x10000000 <Address 0x10000000  
# >out
# ># >of bounds>
# ># >       sport = 47097
# ># >       dport = 4096
# ># >       proto = 0 '\0'
# ># >       tp_p = 0 '\0'
# ># >       len = 0
# ># >       hlen = 0
# ># >       ArgusOptionLen = 0
# ># >#1  0x08050634 in ArgusCreateFlow (model=0x8134008, ptr=0x813494c,
# ># >length=78) at ArgusModeler.c:1555
# ># >       retn = (void *) 0x8134418
# ># >       ep = (struct ether_header *) 0x813494c
# ># >       keys = 1
# ># >       index = 1
# ># >       i = 0
# ># >#2  0x0804fccc in ArgusProcessIpPacket (model=0x8134008,
# ># >ip=0x813494c, length=78, tvp=0xbfe4927c) at ArgusModeler.c:1361
# ># >       retn = 0
# ># >       pass = 1
# ># >       flow = (struct ArgusFlowStruct *) 0x1
# ># >       nflow = (struct ArgusFlowStruct *) 0xbb
# ># >       tflow = (struct ArgusSystemFlow *) 0x0
# ># >#3  0x08059992 in ArgusIpPacket (user=0xb7d64008 "", h=0xbfe492ec,
# ># >p=0x813494c "E") at ArgusSource.c:1403
# ># >       src = (struct ArgusSourceStruct *) 0xb7d64008
# ># >       tvpbuf = {tv_sec = 1211532660, tv_usec = 393789}
# ># >       tvp = (struct timeval *) 0xbfe4927c
# ># >       ip = (struct ip *) 0x813494c
# ># >       length = 78
# ># >       caplen = 78
# ># >       statbuf = {st_dev = 13257796500955894428, __pad1 = 1,
# ># >__st_ino = 0, st_mode = 3085275911, st_nlink = 135481676, st_uid =
# ># >3086700584, st_gid = 78, st_rdev = 339259832066,
# ># > __pad2 = 18764, st_size = 338093555700, st_blksize = 78, st_blocks
# ># >= -5195550500855704984, st_atim = {tv_sec = 135480824, tv_nsec =
# ># >135481676}, st_mtim = {tv_sec = 78,
# ># >   tv_nsec = -1075539304}, st_ctim = {tv_sec = -1209733708, tv_nsec
# ># >= 135480824}, st_ino = 335142930764}
# ># >#4  0xb7f816ee in pcap_offline_read () from /usr/lib/libpcap.so.0
# ># >No symbol table info available.
# ># >#5  0xb7fd2650 in _r_debug ()
# ># >No symbol table info available.
# ># >#6  0x00000001 in ?? ()
# ># >No symbol table info available.
# ># >#7  0xbfe492f0 in ?? ()
# ># >No symbol table info available.
# ># >#8  0xb7fc46e9 in _dl_fixup () from /lib/ld-linux.so.2
# ># >No symbol table info available.
# ># >Backtrace stopped: previous frame inner to this frame (corrupt  
# >stack?)
# ># >(gdb)
# ># >
# ># >Regards,
# ># >
# ># >David
# ># >
# ># >
# ># >
# >#
# >
# 
# 
# 
# 
#

More information about the argus mailing list