[Bro] Bug on PktSrc.cc

Jose M. Gonzalez chema at cs.berkeley.edu
Wed Sep 14 20:43:48 PDT 2005


Hi, 

I think I found a weird bug in PktSrc.cc, related to the libpcap version 
Bro ships.

The version of the arithmetic operation block generator we ship 
( libpcap-0.7.2:gencode.c:get_arth() ) has a well-known bug [1], which 
makes gencode() punt when the filter being compiled has too many 
arithmetic operations.

When this happens, PktSrc::PrecompileFilter() returns 0 
(BPF_Program::Compile() returns false and fills the errbuf), but this is 
not caught by neither PktInterfaceSrc::PktInterfaceSrc() nor
PktFileSrc::PktFileSrc(). Eventually Bro dies, with an unrelated 
message. 

If you want to test this, the following filter produces a weird error
message. 

((tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512)) or ( tcp[(tcp[12]>>2):4] = 0x5353482D and ( tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e))

I enclose a patch for Bro to die with a better error message. 

The patch to fix pcap is in [1]

-Chema

[1] http://www.tcpdump.org/lists/workers/2002/04/msg00014.html

-------------- next part --------------
Index: PktSrc.cc
===================================================================
RCS file: /home/portnoy/u2/src/projects/bro/src/PktSrc.cc,v
retrieving revision 1.15
diff -u -r1.15 PktSrc.cc
--- PktSrc.cc	12 Sep 2005 21:04:57 -0000	1.15
+++ PktSrc.cc	15 Sep 2005 03:37:50 -0000
@@ -386,6 +386,8 @@
 		SetHdrSize();
 		fprintf(stderr, "listening on %s\n", interface);
 		}
+	else
+		closed = true;
 	}
 
 
@@ -399,11 +401,10 @@
 
 	pd = pcap_open_offline((char*) readfile, errbuf);
 
-	if ( ! pd )
-		closed = true;
-
 	if ( pd && PrecompileFilter(0, filter) && SetFilter(0) )
 		SetHdrSize();
+	else
+		closed = true;
 
 #ifdef USE_SELECT_LOOP
 	// We don't put file sources into non-blocking mode as otherwise


More information about the Bro mailing list