[ARGUS] argus 5 ethernet parse error
Ming Fu via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Oct 17 21:14:05 EDT 2024
Hi,
I noticed that the argus 5.0.0 can crash with an odd Ethernet head.
I tried the argus from the head of repo as of today, the code crash at the same location.
(gdb) where
#0 0x000055555556baad in ArgusCreateIPv4Flow ()
#1 0x000055555556c6bd in ArgusCreateFlow ()
#2 0x000055555556c985 in ArgusProcessPacket ()
#3 0x0000555555570c64 in ArgusEtherPacket ()
#4 0x00007ffff7f7cb95 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
#5 0x00007ffff7f7d004 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
#6 0x00005555555752cd in ArgusGetPackets ()
#7 0x00007ffff7f56609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#8 0x00007ffff7d04353 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Looks like the odd ether type caused argus to not fill the IP address when calling into the in ArgusCreateIPv4Flow()
I attached a small pcap file, the second packet is the one that can crash the argus. It has an ether type of 0x0056 rather than the usual 0x8000.
Regards,
Ming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twopacket.pcap
Type: application/octet-stream
Size: 248 bytes
Desc: twopacket.pcap
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20241018/ec03b09a/attachment.obj>
More information about the argus
mailing list