<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I found and fixed the problem. <br>
This is what I posted as an issue on github,
<a class="moz-txt-link-freetext" href="https://github.com/openargus/clients/issues/17">https://github.com/openargus/clients/issues/17</a><br>
<br>
<br>
<b>argus_utils.c segfaults on ICMPv6 Type 2: Packet To Big<br>
</b><br>
The main issue is using strlen on a NULL string in ArgusPrintState<br>
<br>
int slen = strlen(ArgusProcessStr);<br>
<br>
The reason there is a NULL string in the first place is caused by
ArgusGetICMPv6Status<br>
<br>
case ICMP6_PACKET_TOO_BIG:<br>
retn = icmptypestr[45];<br>
break;<br>
<br>
icmptypestr is declared in argus_util.h as<br>
<br>
#define ICMP_MAXTYPE 46<br>
<br>
char *icmptypestr[ICMP_MAXTYPE + 1] = {<br>
"ECR", " ", " ", "UR" , "SRC", "RED",<br>
"AHA", " ", "ECO", "RTA", "RTS", "TXD",<br>
"PAR", "TST", "TSR", "IRQ", "IRR", "MAS",<br>
"MSR", "SEC", "ROB", "ROB", "ROB", "ROB",<br>
"ROB", "ROB", "ROB", "ROB", "ROB", "ROB",<br>
"TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",<br>
"MRP", "DNQ", "DNP", "SKP", "PHO", "EXM",<br>
"EEO", "EER",<br>
};<br>
<br>
Counting the string elements we can see there are only 44 even
though the array is defined to be 47 elements<br>
so retn = icmptypestr[45]; will assign a null string to retn.<br>
<br>
Here is a proposed patch<br>
<br>
<b>argus_util.c<br>
</b><br>
diff --git a/common/argus_util.c b/common/argus_util.c<br>
index ca0e4fc..8b4e6df 100644<br>
--- a/common/argus_util.c<br>
+++ b/common/argus_util.c<br>
@@ -19716,7 +19716,10 @@ ArgusPrintState (struct ArgusParserStruct
*parser, char *buf, struct ArgusRecord<br>
sprintf (buf, " State = \"%s\"", ArgusProcessStr);<br>
<br>
} else {<br>
- int slen = strlen(ArgusProcessStr);<br>
+ int slen = 0;<br>
+ if (ArgusProcessStr != NULL) {<br>
+ int slen = strlen(ArgusProcessStr);<br>
+ }<br>
if (parser->RaFieldWidth != RA_FIXED_WIDTH) {<br>
len = slen;<br>
} else {<br>
@@ -26586,7 +26589,7 @@ ArgusGetICMPv6Status (struct
ArgusParserStruct *parser, struct ArgusRecordStruct<br>
}<br>
break;<br>
case ICMP6_PACKET_TOO_BIG:<br>
- retn = icmptypestr[45];<br>
+ retn = "PTB";<br>
break;<br>
case ICMP6_TIME_EXCEEDED:<br>
switch (icmp->code) {<br>
<br>
<b>argus_util.h<br>
</b><br>
diff --git a/include/argus_util.h b/include/argus_util.h<br>
index 12b22ce..2d7c4c5 100644<br>
--- a/include/argus_util.h<br>
+++ b/include/argus_util.h<br>
@@ -1570,7 +1570,7 @@ char *icmptypestr[ICMP_MAXTYPE + 1] = {<br>
"ROB", "ROB", "ROB", "ROB", "ROB", "ROB",<br>
"TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",<br>
"MRP", "DNQ", "DNP", "SKP", "PHO", "EXM",<br>
- "EEO", "EER",<br>
+ "EEO", "EER", " ", " ", " ",<br>
};<br>
<br>
</p>
<div class="moz-cite-prefix">On 2025-03-17 20:59, Patrick Forsberg
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4b96c465-d251-4269-a46f-7f8555728536@chalmers.se">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>After painfully compiling argus-3.0.8.4 and doing a capture
with that it would seems that it is ICMPv6 PTB records that
causes the segfault.<br>
<br>
ra -r /var/log/argus/icmpv6.ra <br>
StartTime Flgs Proto SrcAddr Sport
Dir DstAddr Dport TotPkts TotBytes State <br>
03/17.19:45:27.0* M 58 ::.128
-> :: 39 3070 ECO<br>
Segmentation fault (core dumped)<br>
<br>
ra3 -r /var/log/argus/icmpv6.ra<br>
StartTime Flgs Proto SrcAddr Sport
Dir DstAddr Dport TotPkts TotBytes State <br>
19:32:08.761843 man 0
0 0 0 0 0 STA<br>
19:45:27.004724 M 58 ::.128
-> ::.0 39 3070 ECO<br>
19:45:28.683723 e 58 ::.2
-> ::.0 1 1294 PTB<br>
<br>
Attached is some argus data containing ipv6 icmp captured with
argus-3.0.8.4 that causes the segfault<br>
<br>
/Patrick<br>
</p>
<div class="moz-cite-prefix">On 2025-03-17 19:25, Patrick Forsberg
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e2105bc9-c1ae-4899-97ae-0b5679ca9c97@chalmers.se">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<p>I installed and compiled argus and clients today, but when I
run ra on captured data it segfaults pretty quickly.<br>
<br>
I've managed to narrow it down to being a problem with
ipv6-icmp (protocol 58) since I can run 'ra -r <capture
file> - not proto ipv6-icmp' without problems.<br>
<br>
Any suggestions on how I can dig further or even a suggestion
on what the problem could be?<br>
<br>
Installation was pretty straightforward<br>
<br>
git clone <a class="moz-txt-link-freetext"
href="https://github.com/openargus/argus"
moz-do-not-send="true">https://github.com/openargus/argus</a><br>
git clone <a class="moz-txt-link-freetext"
href="https://github.com/openargus/clients"
moz-do-not-send="true">https://github.com/openargus/clients</a><br>
<br>
cd argus; ./configure && make && make install<br>
cd client; ./configure && make && make install<br>
<br>
All done on Ubuntu 24.04<br>
<br>
Regards,<br>
<br>
/Patrick<br>
</p>
<div class="moz-signature">-- <br>
<font size="1" face="Arial"><b>Patrick Forsberg</b><br>
IT-säkerhetsspecialist | IT Security Specialist<br>
Chalmers Cyber- och informationssäkerhetsgrupp (CCIG)
| Chalmers IRT <a href="mailto:abuse@chalmers.se"
moz-do-not-send="true"><abuse@chalmers.se></a>
<p> Chalmers verksamhetsstöd | Chalmers Operations Support<br>
IT-avdelningen | IT Office<br>
+46(0)31 772 5353<br>
Besöksadress: Teknikparken / Sven Hultins gata 9C </p>
</font>
<p><font size="1" face="Arial"> <b>CHALMERS</b><br>
Chalmers tekniska högskola | Chalmers University of
Technology<br>
SE-412 96<br>
Göteborg | Gothenburg<br>
Sverige | Sweden<br>
<a href="https://www.chalmers.se" moz-do-not-send="true">www.chalmers.se</a></font></p>
</div>
</blockquote>
<div class="moz-signature">-- <br>
<font size="1" face="Arial"><b>Patrick Forsberg</b><br>
IT-säkerhetsspecialist | IT Security Specialist<br>
Chalmers Cyber- och informationssäkerhetsgrupp (CCIG)
| Chalmers IRT <a href="mailto:abuse@chalmers.se"
moz-do-not-send="true"><abuse@chalmers.se></a>
<p> Chalmers verksamhetsstöd | Chalmers Operations Support<br>
IT-avdelningen | IT Office<br>
+46(0)31 772 5353<br>
Besöksadress: Teknikparken / Sven Hultins gata 9C </p>
</font>
<p><font size="1" face="Arial"> <b>CHALMERS</b><br>
Chalmers tekniska högskola | Chalmers University of
Technology<br>
SE-412 96<br>
Göteborg | Gothenburg<br>
Sverige | Sweden<br>
<a href="https://www.chalmers.se" moz-do-not-send="true">www.chalmers.se</a></font></p>
</div>
</blockquote>
<div class="moz-signature">-- <br>
<font size="1" face="Arial"><b>Patrick Forsberg</b><br>
IT-säkerhetsspecialist | IT Security Specialist<br>
Chalmers Cyber- och informationssäkerhetsgrupp (CCIG) | Chalmers
IRT <a href="mailto:abuse@chalmers.se"><abuse@chalmers.se></a>
<p>
Chalmers verksamhetsstöd | Chalmers Operations Support<br>
IT-avdelningen | IT Office<br>
+46(0)31 772 5353<br>
Besöksadress: Teknikparken / Sven Hultins gata 9C
</p>
</font>
<p><font size="1" face="Arial">
<b>CHALMERS</b><br>
Chalmers tekniska högskola | Chalmers University of Technology<br>
SE-412 96<br>
Göteborg | Gothenburg<br>
Sverige | Sweden<br>
<a href="https://www.chalmers.se">www.chalmers.se</a></font></p>
</div>
</body>
</html>