racluster 3.0.8.2 segfaults with -M dsrs option

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Thu Jul 14 14:58:28 EDT 2016 

Hey Markku P,
You should be running argus-clients-3.0.8.2, as that is the current version.  If you can, please make that upgrade.  The modifications I have included below belong to that version, so if needed … upgrade and then update with the included files below.

The file that you sent is corrupted (as you probably suspected).  It has a partial argus record at byte offset 1863448 (about 22% into the data file), which doesn’t have any time values. This is an illegal record, and so we stop processing.  Your corrupted file did expose a bug that I’ve fixed.

Now, argus clients can recover from corrupted flow records, by skipping 4 byte chunks until it finds legitimate records in the file, and your file does have legitimate data starting at byte count 1866640.  But there are a few records that are really munged.  Any possibility that you had 2 processes writing into the file for some time ????

The corrupted file tickled a few bugs, as the corruption generated pseudo Netflow records, and pseudo Argus event records.  I’ve fixed it to the point that we can read your file, but it involves multiple changes to ./common/argus_client.c and ./common/argus_util.c.  If you could, replace your copies of the files I’ve included, and test it out on your data that would be cool.

Thanks !!!!

Carter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_client.c
Type: application/octet-stream
Size: 693279 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160714/ce276876/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_util.c
Type: application/octet-stream
Size: 898316 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160714/ce276876/attachment-0001.obj>
-------------- next part --------------

> On Jul 14, 2016, at 8:47 AM, Markku P via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> My argus 3.0.8.1 has managed to produce few files that segfault even the latest racluster:
> 
> $ racluster -M dsrs=-agr -r crashing-20160703.dat -m proto  -w out.ra
> Segmentation fault
> 
> The issue seems to be on the "-M dsrs" option. The actual option value used does not seem to matter. Direct read with ra works normally. That same option works with most of my other files.
> 
> Trace:
> #0  0x0000000000457a81 in ArgusGenerateRecordStruct ()
> #1  0x0000000000432f4c in ArgusHandleRecord ()
> #2  0x0000000000459b7c in ArgusReadStreamSocket ()
> #3  0x0000000000459cb5 in ArgusReadFileStream ()
> #4  0x0000000000406482 in main ()
> 
> The system is an old CentOS 64bit linux, gcc 4.1.2.
> 
> I have uploaded that test file to qosient.com /incoming for your analysis.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160714/ce276876/attachment.bin>

More information about the argus mailing list