argus 3.0.4 segfault on 32-bit OpenBSD 4.8

Michael Sanderson sanders at cs.ubc.ca
Fri Apr 8 17:56:43 EDT 2011


I'm seeing a segfault in the argus 3.0.4 daemon on 32-bit OpenBSD 4.8 in 
a couple place in ArgusParseTCPOptions.  I have packet capture files 
which I have tried to keep to sane sizes by moving the file every two 
minutes.  Unfortunately, when running argus -r <file>, I can't get it to 
segfault with the last file (or any of the last few files).  Since it 
doesn't seem to survive more than 30-40 minutes, hopefully I can find 
some collection of files that will exhibit the segfault when reading them.

Example one:

#0  0x1c0249a8 in ArgusParseTCPOptions (model=0x808f8800, tcp=0x8a5c8fe4,
     len=1, options=0x813f2394, ArgusThisTCPsrc=0x813f23a0) at 
ArgusTcp.c:985
985                 alen = *cp++;   /* total including type, len */
(gdb) where
#0  0x1c0249a8 in ArgusParseTCPOptions (model=0x808f8800, tcp=0x8a5c8fe4,
     len=1, options=0x813f2394, ArgusThisTCPsrc=0x813f23a0) at 
ArgusTcp.c:985
#1  0x1c022ddb in ArgusUpdateTCPState (model=0x808f8800, 
flowstr=0x813f2000,
     state=0xcfbe3fb4 " #?\201\f#?\201�\"?\201") at ArgusTcp.c:270
#2  0x1c00cd2f in ArgusUpdateState (model=0x808f8800, flowstr=0x813f2000,
     state=32 ' ', update=1 '\001') at ArgusModeler.c:2662
#3  0x1c00bf3c in ArgusUpdateFlow (model=0x808f8800, flow=0x813f2000,
     state=32 ' ', update=1 '\001') at ArgusModeler.c:2339
#4  0x1c009c7b in ArgusProcessPacket (src=0x86cca000,
     p=0x8a5c8fba "������������\201", length=68, tvp=0xcfbe4190, type=0)
     at ArgusModeler.c:1537
#5  0x1c013dad in ArgusEtherPacket (user=0x86cca000 "", h=0x8a5c8fa8,
     p=0x8a5c8fba "������������\201") at ArgusSource.c:1365
#6  0x022cc4f8 in pcap_read (p=0x895c0800, cnt=1,
     callback=0x1c013ac8 <ArgusEtherPacket>, user=0x86cca000 "")
     at /usr/src/lib/libpcap/pcap-bpf.c:154
#7  0x022ccc7d in pcap_dispatch (p=0x895c0800, cnt=1,
     callback=0x1c013ac8 <ArgusEtherPacket>, user=0x86cca000 "")
     at /usr/src/lib/libpcap/pcap.c:59
#8  0x1c0186a6 in ArgusGetPackets (arg=0x86cca000) at ArgusSource.c:3269
#9  0x1c017ffc in ArgusSourceProcess (stask=0x86cca000) at 
ArgusSource.c:3059
#10 0x1c004b62 in main (argc=1, argv=0xcfbe4aa0) at argus.c:642


Example two:
0x1c024983 in ArgusParseTCPOptions (model=0x7e026800, tcp=0x88b8efe8, 
len=8,
     options=0x8426e394, ArgusThisTCPsrc=0x8426e3d0) at ArgusTcp.c:980
980              opt = *cp++;
(gdb) where
#0  0x1c024983 in ArgusParseTCPOptions (model=0x7e026800, tcp=0x88b8efe8,
     len=8, options=0x8426e394, ArgusThisTCPsrc=0x8426e3d0) at 
ArgusTcp.c:980
#1  0x1c022ddb in ArgusUpdateTCPState (model=0x7e026800, 
flowstr=0x8426e000,
     state=0xcfbe7f84 " �&\204\f�&\204��&\204") at ArgusTcp.c:270
#2  0x1c00cd2f in ArgusUpdateState (model=0x7e026800, flowstr=0x8426e000,
     state=32 ' ', update=1 '\001') at ArgusModeler.c:2662
#3  0x1c00bf3c in ArgusUpdateFlow (model=0x7e026800, flow=0x8426e000,
     state=32 ' ', update=1 '\001') at ArgusModeler.c:2339
#4  0x1c009c7b in ArgusProcessPacket (src=0x7ce67000,
     p=0x88b8efbe "������������\201", length=64, tvp=0xcfbe8160, type=0)
     at ArgusModeler.c:1537
#5  0x1c013dad in ArgusEtherPacket (user=0x7ce67000 "", h=0x88b8efac,
     p=0x88b8efbe "������������\201") at ArgusSource.c:1365
#6  0x0fbce4f8 in pcap_read (p=0x824ff200, cnt=1,
     callback=0x1c013ac8 <ArgusEtherPacket>, user=0x7ce67000 "")
     at /usr/src/lib/libpcap/pcap-bpf.c:154
#7  0x0fbcec7d in pcap_dispatch (p=0x824ff200, cnt=1,
     callback=0x1c013ac8 <ArgusEtherPacket>, user=0x7ce67000 "")
     at /usr/src/lib/libpcap/pcap.c:59
#8  0x1c0186a6 in ArgusGetPackets (arg=0x7ce67000) at ArgusSource.c:3269
#9  0x1c017ffc in ArgusSourceProcess (stask=0x7ce67000) at 
ArgusSource.c:3059
#10 0x1c004b62 in main (argc=3, argv=0xcfbe8a78) at argus.c:642


I believe it had been working nicely on OpenBSD 4.7, so this may end up 
being an OpenBSD issue due to new versions of things.  The daemon has 
been recompiled on 4.8 but that didn't change anything nor were there 
any particular problems with compilation after ensuring that a couple of 
additional headers were included before arpa/inet.h.  I'll see if I can 
get a 4.7 machine back and ensure that it was working well then.

(Sorry need to run to get kids from school... I'll send more info later 
to Carter and/or the list re: the header include order.)

       Michael Sanderson



More information about the argus mailing list