[Bro] Bro segfaults with unknown linktype

Fabian Schneider fabian at net.t-labs.tu-berlin.de
Tue Sep 18 04:07:44 PDT 2007


Hi,

we found a bug that segfaults bro. If you try to open a pcap file with a 
data link type that is unknown to libpcap (e.g. data link type 0x32), then 
it immediately crashes. The reason is in PktSrc.cc:

1.) In the constructor of PktFileSrc you first do an pcap_open_offline() 
and get a the pcap handle in pd.

2.) The you call SetHdrSize(), which calls Close() if no link type is 
found.

3.) Close closes pd, sets pd=0 and returns.

4.) back in PktFileSrc immediatly after SetHdrSize() you call 
pcap_file(pd) with the nulled pd, which leads to the Segfault in pcap.


I have added the relevant code fragments and a backtrace of gdb:

----------------------------

void PktSrc::SetHdrSize()
         {
         int dl = pcap_datalink(pd);
         hdr_size = get_link_header_size(dl);

         if ( hdr_size < 0 )
                 {
                 safe_snprintf(errbuf, sizeof(errbuf),
                          "unknown data link type 0x%x", dl);
                 Close();
                 }

         datalink = dl;
         }

void PktSrc::Close()
         {
         if ( pd )
                 {
                 pcap_close(pd);
                 pd = 0;
                 closed = true;
                 }
         }

-----skiping lines-------

PktFileSrc::PktFileSrc(const char* arg_readfile, const char* filter,
                         PktSrc_Filter_Type ft)
: PktSrc()
         {
         readfile = copy_string(arg_readfile);

         filter_type = ft;

         memcpy(errbuf, "xxxxxxxxx", 10);

         pd = pcap_open_offline((char*) readfile, errbuf);

         if ( pd && PrecompileFilter(0, filter) && SetFilter(0) )
                 {

                 SetHdrSize();

#ifdef USE_SELECT_LOOP
                 // We don't put file sources into non-blocking mode as
                 // otherwise we would not be able to identify the EOF
                 // via next_packet().

                 selectable_fd = fileno(pcap_file(pd));

                 if ( selectable_fd < 0 )
                         internal_error("OS does not support selectable 
pcap fd");
#endif
                 }
         else
                 closed = true;
         }

---------------------------------

gdb Backtrace:

#0  0xb7f4f84b in pcap_file (p=0x0) at ./pcap.c:543
#1  0x08190525 in PktFileSrc (this=0x83ef048, arg_readfile=0xbfc9e594 
"mpls-test-100KB-1stpacket.pcap", filter=0x8244f7f "tcp or udp",
     ft=TYPE_FILTER_NORMAL) at PktSrc.cc:461
#2  0x0817d891 in net_init (interfaces=@0xbfc9c774, readfiles=@0xbfc9c764, 
writefile=0x0, transformed_writefile=0x0,
     filter=0x8244f7f "tcp or udp", secondary_filter=0x0, do_watchdog=0) at 
Net.cc:196
#3  0x08091b35 in main (argc=3, argv=0xbfc9c8a4) at main.cc:832


----------------------------------

    bye
    Fabian Schneider

--
Fabian Schneider, An-Institut Deutsche Telekom Laboratories
Technische Universität Berlin, Fakultät IV -- Elektrotechnik und Informatik
address: Sekr. TEL 4, FG INET, Ernst-Reuter-Platz 7, 10587 Berlin
e-mail: fabian at net.t-labs.tu-berlin.de, WWW: http://www.net.in.tum.de/~schneifa
phone: +49 30 8353 - 58513, mobile: +49 160 479 43 97


More information about the Bro mailing list