[ARGUS] Segfault on proto 58 (server/client v 5.0.2)
Patrick Forsberg
patrick.forsberg at chalmers.se
Tue Mar 18 05:55:29 EDT 2025
I found and fixed the problem.
This is what I posted as an issue on github,
https://github.com/openargus/clients/issues/17
*argus_utils.c segfaults on ICMPv6 Type 2: Packet To Big
*
The main issue is using strlen on a NULL string in ArgusPrintState
int slen = strlen(ArgusProcessStr);
The reason there is a NULL string in the first place is caused by
ArgusGetICMPv6Status
case ICMP6_PACKET_TOO_BIG:
retn = icmptypestr[45];
break;
icmptypestr is declared in argus_util.h as
#define ICMP_MAXTYPE 46
char *icmptypestr[ICMP_MAXTYPE + 1] = {
"ECR", " ", " ", "UR" , "SRC", "RED",
"AHA", " ", "ECO", "RTA", "RTS", "TXD",
"PAR", "TST", "TSR", "IRQ", "IRR", "MAS",
"MSR", "SEC", "ROB", "ROB", "ROB", "ROB",
"ROB", "ROB", "ROB", "ROB", "ROB", "ROB",
"TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",
"MRP", "DNQ", "DNP", "SKP", "PHO", "EXM",
"EEO", "EER",
};
Counting the string elements we can see there are only 44 even though
the array is defined to be 47 elements
so retn = icmptypestr[45]; will assign a null string to retn.
Here is a proposed patch
*argus_util.c
*
diff --git a/common/argus_util.c b/common/argus_util.c
index ca0e4fc..8b4e6df 100644
--- a/common/argus_util.c
+++ b/common/argus_util.c
@@ -19716,7 +19716,10 @@ ArgusPrintState (struct ArgusParserStruct
*parser, char *buf, struct ArgusRecord
sprintf (buf, " State = \"%s\"", ArgusProcessStr);
} else {
- int slen = strlen(ArgusProcessStr);
+ int slen = 0;
+ if (ArgusProcessStr != NULL) {
+ int slen = strlen(ArgusProcessStr);
+ }
if (parser->RaFieldWidth != RA_FIXED_WIDTH) {
len = slen;
} else {
@@ -26586,7 +26589,7 @@ ArgusGetICMPv6Status (struct ArgusParserStruct
*parser, struct ArgusRecordStruct
}
break;
case ICMP6_PACKET_TOO_BIG:
- retn = icmptypestr[45];
+ retn = "PTB";
break;
case ICMP6_TIME_EXCEEDED:
switch (icmp->code) {
*argus_util.h
*
diff --git a/include/argus_util.h b/include/argus_util.h
index 12b22ce..2d7c4c5 100644
--- a/include/argus_util.h
+++ b/include/argus_util.h
@@ -1570,7 +1570,7 @@ char *icmptypestr[ICMP_MAXTYPE + 1] = {
"ROB", "ROB", "ROB", "ROB", "ROB", "ROB",
"TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",
"MRP", "DNQ", "DNP", "SKP", "PHO", "EXM",
- "EEO", "EER",
+ "EEO", "EER", " ", " ", " ",
};
On 2025-03-17 20:59, Patrick Forsberg wrote:
>
> After painfully compiling argus-3.0.8.4 and doing a capture with that
> it would seems that it is ICMPv6 PTB records that causes the segfault.
>
> ra -r /var/log/argus/icmpv6.ra
> StartTime Flgs Proto SrcAddr Sport
> Dir DstAddr Dport TotPkts TotBytes State
> 03/17.19:45:27.0* M 58 ::.128
> -> :: 39 3070 ECO
> Segmentation fault (core dumped)
>
> ra3 -r /var/log/argus/icmpv6.ra
> StartTime Flgs Proto SrcAddr Sport
> Dir DstAddr Dport TotPkts TotBytes State
> 19:32:08.761843 man 0
> 0 0 0 0 0 STA
> 19:45:27.004724 M 58 ::.128
> -> ::.0 39 3070 ECO
> 19:45:28.683723 e 58 ::.2
> -> ::.0 1 1294 PTB
>
> Attached is some argus data containing ipv6 icmp captured with
> argus-3.0.8.4 that causes the segfault
>
> /Patrick
>
> On 2025-03-17 19:25, Patrick Forsberg wrote:
>>
>> I installed and compiled argus and clients today, but when I run ra
>> on captured data it segfaults pretty quickly.
>>
>> I've managed to narrow it down to being a problem with ipv6-icmp
>> (protocol 58) since I can run 'ra -r <capture file> - not proto
>> ipv6-icmp' without problems.
>>
>> Any suggestions on how I can dig further or even a suggestion on what
>> the problem could be?
>>
>> Installation was pretty straightforward
>>
>> git clone https://github.com/openargus/argus
>> git clone https://github.com/openargus/clients
>>
>> cd argus; ./configure && make && make install
>> cd client; ./configure && make && make install
>>
>> All done on Ubuntu 24.04
>>
>> Regards,
>>
>> /Patrick
>>
>> --
>> *Patrick Forsberg*
>> IT-säkerhetsspecialist | IT Security Specialist
>> Chalmers Cyber- och informationssäkerhetsgrupp (CCIG) | Chalmers IRT
>> <abuse at chalmers.se> <mailto:abuse at chalmers.se>
>>
>> Chalmers verksamhetsstöd | Chalmers Operations Support
>> IT-avdelningen | IT Office
>> +46(0)31 772 5353
>> Besöksadress: Teknikparken / Sven Hultins gata 9C
>>
>> *CHALMERS*
>> Chalmers tekniska högskola | Chalmers University of Technology
>> SE-412 96
>> Göteborg | Gothenburg
>> Sverige | Sweden
>> www.chalmers.se <https://www.chalmers.se>
>>
> --
> *Patrick Forsberg*
> IT-säkerhetsspecialist | IT Security Specialist
> Chalmers Cyber- och informationssäkerhetsgrupp (CCIG) | Chalmers IRT
> <abuse at chalmers.se> <mailto:abuse at chalmers.se>
>
> Chalmers verksamhetsstöd | Chalmers Operations Support
> IT-avdelningen | IT Office
> +46(0)31 772 5353
> Besöksadress: Teknikparken / Sven Hultins gata 9C
>
> *CHALMERS*
> Chalmers tekniska högskola | Chalmers University of Technology
> SE-412 96
> Göteborg | Gothenburg
> Sverige | Sweden
> www.chalmers.se <https://www.chalmers.se>
>
--
*Patrick Forsberg*
IT-säkerhetsspecialist | IT Security Specialist
Chalmers Cyber- och informationssäkerhetsgrupp (CCIG) | Chalmers IRT
<abuse at chalmers.se> <mailto:abuse at chalmers.se>
Chalmers verksamhetsstöd | Chalmers Operations Support
IT-avdelningen | IT Office
+46(0)31 772 5353
Besöksadress: Teknikparken / Sven Hultins gata 9C
*CHALMERS*
Chalmers tekniska högskola | Chalmers University of Technology
SE-412 96
Göteborg | Gothenburg
Sverige | Sweden
www.chalmers.se <https://www.chalmers.se>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20250318/b4995f08/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4696 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20250318/b4995f08/attachment-0001.bin>
More information about the argus
mailing list