racluster double free

Mike Iglesias iglesias at uci.edu
Thu Jul 11 10:42:04 EDT 2013 

I'm running argus-clients-3.0.7.10 on a Fedora 17 x86_64 system.  The argus
data was gathered by argus (v3.0.7.3) and transfered via radium on another
system to a file.  Running this command

racluster -r argrh.out -f /log/bin/racluster.conf -nn not net 128.200.2.0/24|more

(all one line in case it wraps)

after 1 page of output thru more, I type "q" to exit more and get the
following.  If I type ^C, it just exits like it should.

*** glibc detected *** racluster: double free or corruption (!prev):
0x000000000100fc50 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f5e07c00e]
racluster[0x404e24]
racluster[0x405d7c]
racluster[0x420d45]
racluster[0x431f43]
racluster[0x464bb6]
racluster[0x464e74]
racluster[0x403ccd]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3f5e021735]
racluster[0x4041dd]
======= Memory map: ========
00400000-004ac000 r-xp 00000000 08:05 111411261
/log/common/software/argus-clients-3.0.7.10/bin/racluster
006ab000-006bb000 rw-p 000ab000 08:05 111411261
/log/common/software/argus-clients-3.0.7.10/bin/racluster
006bb000-00f7c000 rw-p 00000000 00:00 0
0100e000-0102f000 rw-p 00000000 00:00 0                                  [heap]
3f5dc00000-3f5dc20000 r-xp 00000000 08:02 170035
/usr/lib64/ld-2.15.so
3f5de1f000-3f5de20000 r--p 0001f000 08:02 170035
/usr/lib64/ld-2.15.so
3f5de20000-3f5de21000 rw-p 00020000 08:02 170035
/usr/lib64/ld-2.15.so
3f5de21000-3f5de22000 rw-p 00000000 00:00 0
3f5e000000-3f5e1ac000 r-xp 00000000 08:02 170036
/usr/lib64/libc-2.15.so
3f5e1ac000-3f5e3ac000 ---p 001ac000 08:02 170036
/usr/lib64/libc-2.15.so
3f5e3ac000-3f5e3b0000 r--p 001ac000 08:02 170036
/usr/lib64/libc-2.15.so
3f5e3b0000-3f5e3b2000 rw-p 001b0000 08:02 170036
/usr/lib64/libc-2.15.so
3f5e3b2000-3f5e3b7000 rw-p 00000000 00:00 0
3f5e400000-3f5e416000 r-xp 00000000 08:02 170041
/usr/lib64/libpthread-2.15.so
3f5e416000-3f5e616000 ---p 00016000 08:02 170041
/usr/lib64/libpthread-2.15.so
3f5e616000-3f5e617000 r--p 00016000 08:02 170041
/usr/lib64/libpthread-2.15.so
3f5e617000-3f5e618000 rw-p 00017000 08:02 170041
/usr/lib64/libpthread-2.15.so
3f5e618000-3f5e61c000 rw-p 00000000 00:00 0
3f5f000000-3f5f0fa000 r-xp 00000000 08:02 156241
/usr/lib64/libm-2.15.so
3f5f0fa000-3f5f2f9000 ---p 000fa000 08:02 156241
/usr/lib64/libm-2.15.so
3f5f2f9000-3f5f2fa000 r--p 000f9000 08:02 156241
/usr/lib64/libm-2.15.so
3f5f2fa000-3f5f2fb000 rw-p 000fa000 08:02 156241
/usr/lib64/libm-2.15.so
3f5f400000-3f5f417000 r-xp 00000000 08:02 132742
/usr/lib64/libz.so.1.2.5
3f5f417000-3f5f616000 ---p 00017000 08:02 132742
/usr/lib64/libz.so.1.2.5
3f5f616000-3f5f617000 rw-p 00016000 08:02 132742
/usr/lib64/libz.so.1.2.5
3f61800000-3f61815000 r-xp 00000000 08:02 170043
/usr/lib64/libgcc_s-4.7.2-20120921.so.1
3f61815000-3f61a14000 ---p 00015000 08:02 170043
/usr/lib64/libgcc_s-4.7.2-20120921.so.1
3f61a14000-3f61a15000 rw-p 00014000 08:02 170043
/usr/lib64/libgcc_s-4.7.2-20120921.so.1
7f4df7b6b000-7f4df7fad000 rw-p 00000000 00:00 0
7f4df80af000-7f4df8259000 rw-p 00000000 00:00 0
7f4df8271000-7f4df8275000 rw-p 00000000 00:00 0
7fffd95fa000-7fffd96a0000 rw-p 00000000 00:00 0                          [stack]
7fffd97fe000-7fffd9800000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Abort (core dumped)

Using gdb on the core dump and executable to see where it died:

(gdb) where
#0  0x0000003f5e035935 in raise () from /lib64/libc.so.6
#1  0x0000003f5e0370e8 in abort () from /lib64/libc.so.6
#2  0x0000003f5e074e8b in __libc_message () from /lib64/libc.so.6
#3  0x0000003f5e07c00e in _int_free () from /lib64/libc.so.6
#4  0x0000000000404e24 in ArgusClientTimeout ()
#5  0x0000000000405d7c in RaProcessRecord ()
#6  0x0000000000420d45 in RaScheduleRecord ()
#7  0x0000000000431f43 in ArgusHandleDatum ()
#8  0x0000000000464bb6 in ArgusReadStreamSocket ()
#9  0x0000000000464e74 in ArgusReadFileStream ()
#10 0x0000000000403ccd in main ()


If I remove the "-f /log/bin/racluster.conf" from the command line, it exits
like it should when I type "q", so that implies something in the
racluster.conf file is causing this.  It's a very simple file:

filter="" model="saddr daddr proto sport dport" status=0 idle=300

There is also an /etc/ra.conf file:

RA_TIME_FORMAT="%d %b %y %T"
RA_FIELD_WIDTH=variable

I can supply the argrh.out file, core dump, etc files
if you need them.


-- 
Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270

More information about the argus mailing list