tcpdump mailing list archives
A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic
From: harish badrinath <harishbadrinath () gmail com>
Date: Tue, 22 Mar 2011 12:58:56 +0530
Hello, I am customizing ngrep for an internal application. It basically would read filter from a file instead of, from the command line. I apologize in advance for the wall-o-text. High level description of the modification: Each filter component is listed in a single line and the program would read the entire file and compress all the arguments to one single filter to be passed onto to pcap_compile. In case any error(s) is /are detected it starts from line 1 to x , where x ranges from ( 1 .. n ) (where n is the last line) pointing out the line numbers of any detected errors. segfault does not seem to be because of repeated invocation of the library calls. The segfault is always in after the "last line has been processed". Contents of file /etc/ngrep/ngrep.conf; that does not create segfault is -- Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 Deny Protocols=ICMP,UDP GAR BAGE . .. -- Contents of file /etc/ngrep/ngrep.conf that *does* create segfault is -- Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 Deny Protocols=ICMP,UDP GAR BAG . .. -- The only difference between the above two version of the files is "GAR BAGE" replaced by "GAR BAG". It also segfaults if "GAR BAGE" is replaced by "GAR BAG E" but it does not segfault if "GAR BAG" is replaced by "GAR BAG EIS". There is also a segfault if "GAR BAG E" is replace by "123 BAG E". The below given file causes a backtrace: -- Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 Deny Protocols=ICMP,UDP GAR BAG E GAR BAG EIS . .. -- For the actual back-trace message see attachment 1. _Note_ breaking on free while running the program under gdb causes no breakpoints to be hit. and the output is ~ attachment1. But on the other hand, the below file does not cause any problems: -- Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 123 BAG E Deny Protocols=ICMP,UDP . .. -- Running pcap_compile multiple times on manually "compressed filter text" multiple times in a single process seems to cause *no problems*. In psuedo code : </code> for (i from 1 to 10) str="Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 Deny Protocols=ICMP,UDP GAR BAG . .." dev = pcap_lookupdev(errbuf); check dev != NULL pcap_lookupnet(dev,&netp,&maskp,errbuf); descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf); check descr != NULL pcap_compile($str); forEnds </code> Here is the actual snippet of C code that is causing the errors (all pcap calls are located in this function) <code> int pkmain(char *buffer) { /* ask pcap for the network address and mask of the device */ pcap_lookupnet(dev,&netp,&maskp,errbuf); /* open device for reading this time lets set it in promiscuous * mode so we can monitor traffic to another machine */ descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf); if(descr == NULL) { printf("pcap_open_live(): %s\n",errbuf); exit(1); } printf("pkmain:Trying to compile ((%s))\n",buffer); if(pcap_compile(descr,&fp,buffer,0,netp) == -1) { fprintf(stderr,"Error calling pcap_compile\n"); if(descr)pcap_perror(descr,"pcap:");return 0; } /* set the compiled program as the filter */ return 1; } </code> In the gdb log attached (Attachment 2), things go haywire after line 96. *HOST __OS__ DETAILS* harish@embdbuild:~/ngrep/xml$ dpkg -l | grep libpca ii libpcap-dev 1.0.0-2ubuntu1 development library for libpcap (transitiona ii libpcap0.8 1.0.0-6 system interface for user-level packet captu ii libpcap0.8-dbg 1.0.0-6 debugging symbols for libpcap0.8 ii libpcap0.8-dev 1.0.0-6 development library and header files for lib uname -m i686 uname -a Linux embdbuild 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux harish@embdbuild:~/ngrep/xml$ dpkg -l | grep libc ii klibc-utils 1.5.15-1ubuntu2 small utilities built with klibc for early b ii libc-bin 2.10.1-0ubuntu19 GNU C Library: Binaries ii libc-dev-bin 2.10.1-0ubuntu19 GNU C Library: Development binaries ii libc6 2.10.1-0ubuntu19 GNU C Library: Shared libraries ii libc6-dbg 2.10.1-0ubuntu19 GNU C Library: detached debugging symbols ii libc6-dev 2.10.1-0ubuntu19 GNU C Library: Development Libraries and Hea ii libc6-i686 2.10.1-0ubuntu19 GNU C Library: Shared libraries [i686 optimi Thank you for your time, Hope this information was useful Harish Badrinath
Attachment:
backtrace.txt
Description:
Attachment:
gdb_IMP.txt
Description:
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic harish badrinath (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic Guy Harris (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + harish badrinath (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + Guy Harris (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + harish badrinath (Mar 23)
- Re: A possible bug in libpcap segfault + malloc + harish badrinath (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic Guy Harris (Mar 22)