tcpdump mailing list archives

A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic

From: harish badrinath <harishbadrinath () gmail com>
Date: Tue, 22 Mar 2011 12:58:56 +0530

Hello,
I am customizing ngrep for an internal application. It basically would
read filter from a file instead of, from the command line.  I
apologize in advance for the wall-o-text.

High level description of the modification:

Each filter component is listed in a single line and the program would
read the entire file and compress all the arguments to one single
filter to be passed onto to pcap_compile. In case any error(s) is /are
detected it starts from line 1 to x , where x ranges from ( 1 .. n )
(where n is the last line) pointing out the line numbers of any
detected errors.
segfault does not seem to be because of repeated invocation of the
library calls.

The segfault is always in after the "last line has been processed".

Contents of file /etc/ngrep/ngrep.conf; that does not create segfault is
--
Ports=80,25,11
Protcols=ALL,TCP
Deny Ports=22,88
Deny Protocols=ICMP,UDP
GAR BAGE
.

..
--

Contents of file /etc/ngrep/ngrep.conf that *does* create segfault is
--
Ports=80,25,11
Protcols=ALL,TCP
Deny Ports=22,88
Deny Protocols=ICMP,UDP
GAR BAG
.

..
--

The only difference between the above two version of the files is "GAR
BAGE" replaced by "GAR BAG". It also segfaults if "GAR BAGE" is
replaced by "GAR BAG E" but it does not segfault if "GAR BAG" is
replaced by  "GAR BAG EIS". There is also a segfault if "GAR BAG E" is
replace by "123 BAG E".

The below given file causes a backtrace:
--
Ports=80,25,11
Protcols=ALL,TCP
Deny Ports=22,88
Deny Protocols=ICMP,UDP
GAR BAG E
GAR BAG EIS
.

..
--
For the actual back-trace message see attachment 1. _Note_ breaking on
free while running the program under gdb causes no breakpoints to be
hit. and the output is ~ attachment1.


But on the other hand, the below file does not cause any problems:
--
Ports=80,25,11
Protcols=ALL,TCP
Deny Ports=22,88
123 BAG E
Deny Protocols=ICMP,UDP
.

..
--

Running pcap_compile multiple times on manually "compressed filter
text" multiple times in a single process seems to cause *no problems*.
In psuedo code :
</code>
for (i from 1 to 10)
str="Ports=80,25,11 Protcols=ALL,TCP Deny Ports=22,88 Deny
Protocols=ICMP,UDP GAR BAG . .."
dev = pcap_lookupdev(errbuf);
check dev != NULL
pcap_lookupnet(dev,&netp,&maskp,errbuf);
descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf);
check descr != NULL
pcap_compile($str);
forEnds
</code>

Here is the actual snippet of C code that is causing the errors (all
pcap calls are located in this function)

<code>
int pkmain(char *buffer)
{

    /* ask pcap for the network address and mask of the device */
    pcap_lookupnet(dev,&netp,&maskp,errbuf);
    /* open device for reading this time lets set it in promiscuous
     * mode so we can monitor traffic to another machine             */
    descr = pcap_open_live(dev,BUFSIZ,1,-1,errbuf);
    if(descr == NULL)
    { printf("pcap_open_live(): %s\n",errbuf); exit(1); }
     printf("pkmain:Trying to compile ((%s))\n",buffer);
    if(pcap_compile(descr,&fp,buffer,0,netp) == -1)
    { fprintf(stderr,"Error calling pcap_compile\n");
if(descr)pcap_perror(descr,"pcap:");return 0; }
    /* set the compiled program as the filter */
    return 1;
}
</code>

In the gdb log attached (Attachment 2), things go haywire after line 96.

*HOST __OS__ DETAILS*

harish@embdbuild:~/ngrep/xml$ dpkg -l | grep libpca
ii  libpcap-dev                         1.0.0-2ubuntu1
   development library for libpcap (transitiona
ii  libpcap0.8                          1.0.0-6
   system interface for user-level packet captu
ii  libpcap0.8-dbg                      1.0.0-6
   debugging symbols for libpcap0.8
ii  libpcap0.8-dev                      1.0.0-6
   development library and header files for lib


uname -m
i686

uname -a
Linux embdbuild 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16
15:22:42 UTC 2009 i686 GNU/Linux


harish@embdbuild:~/ngrep/xml$ dpkg -l | grep libc
ii  klibc-utils                         1.5.15-1ubuntu2
   small utilities built with klibc for early b
ii  libc-bin                            2.10.1-0ubuntu19
   GNU C Library: Binaries
ii  libc-dev-bin                        2.10.1-0ubuntu19
   GNU C Library: Development binaries
ii  libc6                               2.10.1-0ubuntu19
   GNU C Library: Shared libraries
ii  libc6-dbg                           2.10.1-0ubuntu19
   GNU C Library: detached debugging symbols
ii  libc6-dev                           2.10.1-0ubuntu19
   GNU C Library: Development Libraries and Hea
ii  libc6-i686                          2.10.1-0ubuntu19
   GNU C Library: Shared libraries [i686 optimi


Thank you for your time,
Hope this information was useful
Harish Badrinath

Attachment: backtrace.txt
Description:

Attachment: gdb_IMP.txt
Description:

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic harish badrinath (Mar 22)
- Re: A possible bug in libpcap segfault + malloc + pcap_open_live + reproducible + libpcap0.[78] + Ubuntu karmic Guy Harris (Mar 22)
  - Re: A possible bug in libpcap segfault + malloc + harish badrinath (Mar 22)
    - Re: A possible bug in libpcap segfault + malloc + Guy Harris (Mar 22)
    - Re: A possible bug in libpcap segfault + malloc + harish badrinath (Mar 23)