Segfault when using ralabel Version 3.0.6.2

Carter Bullard carter at qosient.com
Wed Nov 14 21:55:11 EST 2012


Hey Jesse,
Maximum label currently is MAXSTRLEN, which on most machines is 1024 bytes.
This is trivial to extend, MAXSTRLEN is used as for convenience.

You may be running into a limit on the number of label value attributes.
We support 256 colon separated label values, but for aggregation purposes,
we limit the use of 4 attributes per value.  attributes are the comma separated
fields in a given label value.  This is the syntax today:

      label[:label...]
      label :: [object=]word[,word][;object=]word[,word]]

These numbers are arbitrary, and I can change them anytime.
So once I see what you're up to, then I can change the code accordingly.

Your strategy is an interesting one, but you create the issue where you get very
large labels that maybe repeated in the resulting data.  Efficiency is low.
While not appropriate for all cases, but you could use an index into a table
that has the big strings, and label the flows with that index.  Or put your table
in a database, and we can do lookups, or… whatever.

Carter


On Nov 14, 2012, at 8:41 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> I suspect it's array space...My flow_label file contains entries of the form: filter="host X.X.X.X" label="dns.name.for.host,otherdns.name.for.host..."
> 
> Some of those entries are rather large (for instance, with some google addresses)...I'll send the contents in another email...
> 
> Is there a known limit to the length of a label? I can certainly add some checks to ensure my labels come in under it...
> 
> Cheers,
> 
> Jesse
> 
> 
> 
> On Wed, Nov 14, 2012 at 4:27 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jesse,
> So what is in that flow_label file ?
> So we're blowing up reading the file.  I suspect that we're either running out of
> array space somewhere, or there is a syntax error that we're not handling well.
> 
> Can you share your flow_label file ?
> 
> Carter 
> 
> On Nov 14, 2012, at 1:46 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
>> Seems I can't learn a new use for argus without finding a way to break it... :)
>> 
>> Another segfault, this time in ralabel.conf. Please let me know if I can do anything to help debug this...
>> 
>> $ egrep -v '^#' ralabel.conf 
>> 
>> RALABEL_ARIN_COUNTRY_CODES=yes
>> RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>> RALABEL_ARGUS_FLOW=yes
>> RALABEL_ARGUS_FLOW_FILE="./flow_label"
>> 
>> $ wc -l flow_label 
>> 2066 flow_label
>> 
>> $ gdb ralabel
>> GNU gdb (GDB) 7.1-ubuntu
>> Copyright (C) 2010 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu".
>> For bug reporting instructions, please see:
>> <http://www.gnu.org/software/gdb/bugs/>...
>> Reading symbols from /usr/local/bin/ralabel...done.
>> (gdb) run -r host.argus -f ./ralabel.conf  -s "+sco +dco +label:40"
>> Starting program: /usr/local/bin/ralabel -r host.argus -f ./ralabel.conf  -s "+sco +dco +label:40"
>> [Thread debugging using libthread_db enabled]
>> 
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00007ffff742833b in memcpy () from /lib/libc.so.6
>> (gdb) up
>> #1  0x00007ffff740a96d in _IO_getline_info () from /lib/libc.so.6
>> (gdb) up
>> #2  0x00007ffff7409879 in fgets () from /lib/libc.so.6
>> (gdb) up
>> #3  0x00000000004981da in RaReadFlowLabels (parser=0x7ffff7e9f010, labeler=0xb3c1f0,
>>     file=0x7fffffffcb68 "38.g.akamai.net,a1840.g.akamai.net,a1846.g.akamai.net,a1854.g.akamai.net,a1878.g.akamai.net,a190.g.akamai.net,a1932.g.akamai.net.0.1.cn.akamaitech.net,a1932.g.akamai.net,a1950.g.a
>>     at ./argus_label.c:716
>> 716     ./argus_label.c: No such file or directory.
>>         in ./argus_label.c
>> (gdb) where
>> #0  0x00007ffff742833b in memcpy () from /lib/libc.so.6
>> #1  0x00007ffff740a96d in _IO_getline_info () from /lib/libc.so.6
>> #2  0x00007ffff7409879 in fgets () from /lib/libc.so.6
>> #3  0x00000000004981da in RaReadFlowLabels (parser=0x7ffff7e9f010, labeler=0xb3c1f0,
>>     file=0x7fffffffcb68 "38.g.akamai.net,a1840.g.akamai.net,a1846.g.akamai.net,a1854.g.akamai.net,a1878.g.akamai.net,a190.g.akamai.net,a1932.g.akamai.net.0.1.cn.akamaitech.net,a1932.g.akamai.net,a1950.g.a
>>     at ./argus_label.c:716
>> #4  0x2e32393731612c74 in ?? ()
>> #5  0x69616d616b612e67 in ?? ()
>> #6  0x3731612c74656e2e in ?? ()
>> <snip>
>> #1192 0x6f7a616d612c7465 in ?? ()
>> Cannot access memory at address 0x7ffffffff000
>> 
>> (gdb) backtrace full
>> #0  0x00007ffff742833b in memcpy () from /lib/libc.so.6
>> No symbol table info available.
>> #1  0x00007ffff740a96d in _IO_getline_info () from /lib/libc.so.6
>> No symbol table info available.
>> #2  0x00007ffff7409879 in fgets () from /lib/libc.so.6
>> No symbol table info available.
>> #3  0x00000000004981da in RaReadFlowLabels (parser=0x7ffff7e9f010, labeler=0xb3c1f0, 
>>     file=0x7fffffffcb68 "38.g.akamai.net,a1840.g.akamai.net,a1846.g.akamai.net,a1854.g.akamai.net,a1878.g.akamai.net,a190.g.akamai.net,a1932.g.akamai.net.0.1.cn.akamaitech.net,a1932.g.akamai.net,a1950.g.a
>>     at ./argus_label.c:716
>>         strbuf = "filter=\"host 184.72.235.54\000 label=\"cookiemonster-production-1222235838.us-east-1.elb.amazonaws.com\000\nfilter=\"host 23.10.192.103\000 label=\"e5529.g.akamaiedge.net.0.1.cn.akamaie
>>         str = 0x7fffffffeb83 "filter=\"host 208.111.160.6\" label=\"aarp.vo.llnwd.net,abcentmktg.vo.llnwd.net,adkeeper.vo.llnwd.net,admeta.vo.llnwd.net,adperk.vo.llnwd.net,advantech.vo.llnwd.net,aglaiasof
>>         ptr = 0x7fffffffeb83 "filter=\"host 208.111.160.6\" label=\"aarp.vo.llnwd.net,abcentmktg.vo.llnwd.net,adkeeper.vo.llnwd.net,admeta.vo.llnwd.net,adperk.vo.llnwd.net,advantech.vo.llnwd.net,aglaiasof
>>         end = 0x7fffffffeb82 "\nfilter=\"host 208.111.160.6\" label=\"aarp.vo.llnwd.net,abcentmktg.vo.llnwd.net,adkeeper.vo.llnwd.net,admeta.vo.llnwd.net,adperk.vo.llnwd.net,advantech.vo.llnwd.net,aglaias
>> .
>>         value = 0x3f07630 "a1116.x.akamai.net,a112.w23.akamai.net,a1223.cp.akamai.net.0.1.cn.akamaitech.net,a1223.cp.akamai.net,a1248.g.akamai.net,a1249.g.akamai.net,a1294.w20.akamai.net,a1362.w3.akamai.n
>>         filter = 0x3f00a10 "host 23.66.231.57"
>>         label = 0x3f07630 "a1116.x.akamai.net,a112.w23.akamai.net,a1223.cp.akamai.net.0.1.cn.akamaitech.net,a1223.cp.akamai.net,a1248.g.akamai.net,a1249.g.akamai.net,a1294.w20.akamai.net,a1362.w3.akamai.n
>>         retn = 0
>>         linenum = 11
>>         fd = 0xb3ca30
>> #4  0x2e32393731612c74 in ?? ()
>> No symbol table info available.
>> #5  0x69616d616b612e67 in ?? ()
>> No symbol table info available.
>> <snip>
>> #1192 0x6f7a616d612c7465 in ?? ()
>> No symbol table info available.
>> Cannot access memory at address 0x7ffffffff000
>> 
>> 
>> 
>> -- 
>> Jesse Bowling
>> 
>> 
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121114/90c960f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121114/90c960f6/attachment.bin>


More information about the argus mailing list