Bug with malformed host in filter

Carter Bullard carter at qosient.com
Wed Feb 27 11:25:17 EST 2013 

Hey Dave,
Yes seems that there is a bug, as I can get it to do the right thing with a -D4,
but it fails with a -D3 option.  Smells like a buffer overrun in creating one of the tests.

osiris:common carter$ ../bin/ra -D3 -b - host 10
Segmentation fault: 11

osiris:common carter$ ../bin/ra -D4 -b - host 10
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219159 ArgusFilterCompile () calling argus_lex_init(host 10)
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219217 ArgusFilterCompile () calling argus_parse()
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219295 Argusgen_linktype (0x806) returns 0x90808e70
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219325 Argusgen_linktype (0x800) returns 0x90808cb8
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219348 Argusgen_linktype (0x86dd) returns 0x90808b00
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219370 Argusgen_host (0x0, 0x5208b668, 0, 0x0, 0) returns 0x90808e70
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219394 Argusgen_ncode ((null), 0xa, 0x5208b6b8, 0x1) returns 0x90808e70
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219425 Argusfinish_parse (0x90808e70)
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219447 ArgusFilterCompile () argus_parse() done
ra[32415.8001aa7bff7f0000]: 2013/02/27.11:22:30.219534 ArgusFilterCompile () done 0
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x2             jt 5	jf 3
(003) jeq      #0x1             jt 5	jf 4
(004) jeq      #0x4             jt 5	jf 6
(005) ret      #150
(006) ret      #0


I'll find this today.
Carter



On Feb 26, 2013, at 8:53 PM, "Dave Edelman" <dedelman at iname.com> wrote:

> I can verify that under FC14 ra 3.0.7.3 does not segfault but it does
> complain about a filter syntax error.
> 
> # ra -S localhost:561 - host 10
> ra[458]: Wed 2013-02-27 01:14:42.277 host 10 filter syntax error
> 
> This is strange because according to the inet(3) man page, 10 is a perfectly
> acceptable IPv4 address. 
> Just to make things even stranger, I do have a valid DNS resolution for 10
> which is no surprise given Cablevision's level of technical acumen. (At
> least they aren't claiming to be authoritative.) 
> 
> #  dig 10
> 
> ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> 10
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54672
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;10.                            IN      A
> 
> ;; ANSWER SECTION:
> 10.                     0       IN      A       67.63.55.3
> 
> ;; Query time: 54 msec
> ;; SERVER: 167.206.245.130#53(167.206.245.130)
> ;; WHEN: Wed Feb 27 01:15:15 2013
> ;; MSG SIZE  rcvd: 36
> 
> 
> --Dave
> 
> 
>> -----Original Message-----
>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>> On Behalf Of elof2 at sentor.se
>> Sent: Monday, February 25, 2013 11:51 AM
>> To: Carter Bullard
>> Cc: pauls at utdallas.edu; Argus Development
>> Subject: Re: [ARGUS] Bug with malformed host in filter
>> 
>> 
>> Sounds good. You're swift in response and action as always. :-)
>> 
>> Yes, I manually compile and use the latest version of argus and other apps
>> when they have an important bugfix or new feature, but usually I try to
> stick
>> with the normal FreeBSD ports, since this makes managing hundreds of
>> boxes much easier.
>> 
>> Perhaps Paul S will deploy an update of the FreeBSD port soon, getting
> argus-
>> clients closer to 3.0.7.5.
>> 
>> 
>> 
>> On your FreeBSD VM, run: portsnap fetch update
>> 
>> Remove any currently installed argus/ra binaries.
>> 
>> cd /usr/ports/net-mgmt/argus3-clients
>> make
>> make install
>> 
>> That should give you Ra Version 3.0.6.2 to play around with.
>> 
>> /Elof
>> 
>> 
>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>> 
>>> No problems.  I'll look around to see what is up.  I've got a
>>> FreeBSD VM I can test on, will try to fire that up today.
>>> The fault concerns me, so I'll try to recreate that first.
>>> 
>>> Do try to work with the latest at some point to see if we've
>>> fixed the problem.
>>> 
>>> Carter
>>> 
>>> On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:
>>> 
>>>> 
>>>> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
>>>> 
>>>> Hehe, no, I have no host called "10". :)
>>>> ...and speaking of resolving, I have no /etc/resolv.conf at all.
>>>> 
>>>> Unfortunetly I currently have no time to compile and test
> argus-clients-
>> 3.0.7.5. :-/
>>>> 
>>>> /Elof
>>>> 
>>>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>>> 
>>>>> Hmmmm,
>>>>> That is interesting.  I'm not getting the same types of errors on Mac
> OS X.
>> Are you
>>>>> using Centos by any chance (just a guess).  The filter should fail all
> the
>> time.
>>>>> We figure out if " 10 ", which the filter things is either a digit or
> a string, is
>> a good
>>>>> address by calling gethostbyname().  Any chance you have a host named
>> " 10 "
>>>>> outthere?
>>>>> 
>>>>> Does argus-clients-3.0.7.5 do a better job ?
>>>>> Carter
>>>>> 
>>>>> 
>>>>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>>>>> 
>>>>>> 
>>>>>> Hi Carter!
>>>>>> 
>>>>>> I stumbled on to a bug when accidentally executing a ra command with
>> an incomplete IP address.
>>>>>> Strangely enough, the error-detection make different descisions
>> depending of its place in the filter string.
>>>>>> 
>>>>>> Example:
>>>>>> 
>>>>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>>>>> 
>>>>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>>>>>> host 10.10.10.10 and host 10 filter syntax error
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> The filter "tcp and host 10" and other elements before "host 10" also
>> fail.
>>>>>> 
>>>>>> However, a filter of just "host 10" by itself does not fail, nor does
> "host
>> 10 and host 10.10.10.10"
>>>>>> 
>>>>>> 
>>>>>> (ra version 3.0.6.2)
>>>>>> 
>>>>>> /Elof
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>> 
>>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130227/586785ca/attachment.bin>

More information about the argus mailing list