[Bro-Dev] #505: Invalid Unref crash
Bro Tracker
bro at tracker.bro-ids.org
Wed Jul 20 21:20:04 PDT 2011
#505: Invalid Unref crash
------------------------+---------------------
Reporter: gclark | Type: Problem
Status: new | Priority: Normal
Milestone: | Component: Bro
Version: git/master | Keywords:
------------------------+---------------------
Using latest from bro-master:
Last few lines of Bro execution trace:
{{{
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Builtin Function called: network_time()
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Function return: 1311220077.26388
1311220077.263882 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
function called: id_string(id = '[orig_h=204.152.191.37, orig_p=80/tcp,
resp_h=212.110.251.3, resp_p=33595/tcp]')
1311220077.263882 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Builtin Function called: fmt(va_args = '%s:%d > %s:%d', vararg0 =
'204.152.191.37', vararg1 = '80/tcp', vararg2 = '212.110.251.3', vararg3 =
'33595/tcp')
1311220077.263882 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 204.152.191.37:80 > 212.110.251.3:33595
1311220077.263882 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 204.152.191.37:80 > 212.110.251.3:33595
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:359
function called: Weird::report_weird_conn(t = '1311220077.26388', name =
'above_hole_data_without_any_acks', id = '204.152.191.37:80 >
212.110.251.3:33595', addl = '', c = '[id=[orig_h=204.152.191.37,
orig_p=80/tcp, resp_h=212.110.251.3, resp_p=33595/tcp], orig=[size=7240,
state=3, num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
resp=[size=0, state=0, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], start_time=1311220077.2637,
duration=0.000185012817382812, service={
}, addl=, hot=0, history=D, uid=vwfIafnipTj, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]')
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:310
function called: Weird::report_weird(t = '1311220077.26388', name =
'above_hole_data_without_any_acks', id = '204.152.191.37:80 >
212.110.251.3:33595', have_conn = 'T', addl = '', action = 'WEIRD_FILE',
no_log = 'F')
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
function called: Log::write(id = 'WEIRD', columns = '[ts=1311220077.26388,
uid=vwfIafnipTj, id=[orig_h=204.152.191.37, orig_p=80/tcp,
resp_h=212.110.251.3, resp_p=33595/tcp],
msg=above_hole_data_without_any_acks, addl=<uninitialized>, notice=F]')
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Builtin Function called: Log::__write(id = 'WEIRD', columns =
'[ts=1311220077.26388, uid=vwfIafnipTj, id=[orig_h=204.152.191.37,
orig_p=80/tcp, resp_h=212.110.251.3, resp_p=33595/tcp],
msg=above_hole_data_without_any_acks, addl=<uninitialized>, notice=F]')
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.263882
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.461318 /home/gilbert/Code/bro/build/src/event.bif.bro:104
event called: conn_weird(name = 'spontaneous_RST', c =
'[id=[orig_h=212.110.251.3, orig_p=113/tcp, resp_h=161.53.178.240,
resp_p=50349/tcp], orig=[size=0, state=6, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], resp=[size=0, state=0,
num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
start_time=1311220077.46132, duration=0.0, service={
}, addl=, hot=0, history=R, uid=0Wn1J3f4jD4, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]', addl = '')
1311220077.461318
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Builtin Function called: network_time()
1311220077.461318
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Function return: 1311220077.46132
1311220077.461318 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
function called: id_string(id = '[orig_h=212.110.251.3, orig_p=113/tcp,
resp_h=161.53.178.240, resp_p=50349/tcp]')
1311220077.461318 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Builtin Function called: fmt(va_args = '%s:%d > %s:%d', vararg0 =
'212.110.251.3', vararg1 = '113/tcp', vararg2 = '161.53.178.240', vararg3
= '50349/tcp')
1311220077.461318 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 212.110.251.3:113 > 161.53.178.240:50349
1311220077.461318 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 212.110.251.3:113 > 161.53.178.240:50349
1311220077.461318
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:359
function called: Weird::report_weird_conn(t = '1311220077.46132', name =
'spontaneous_RST', id = '212.110.251.3:113 > 161.53.178.240:50349', addl =
'', c = '[id=[orig_h=212.110.251.3, orig_p=113/tcp, resp_h=161.53.178.240,
resp_p=50349/tcp], orig=[size=0, state=6, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], resp=[size=0, state=0,
num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
start_time=1311220077.46132, duration=0.0, service={
}, addl=, hot=0, history=R, uid=0Wn1J3f4jD4, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]')
1311220077.461318
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:310
function called: Weird::report_weird(t = '1311220077.46132', name =
'spontaneous_RST', id = '212.110.251.3:113 > 161.53.178.240:50349',
have_conn = 'T', addl = '', action = 'WEIRD_IGNORE', no_log = 'F')
1311220077.461532 /home/gilbert/Code/bro/build/src/event.bif.bro:104
event called: conn_weird(name = 'connection_originator_SYN_ack', c =
'[id=[orig_h=161.53.178.240, orig_p=6667/tcp, resp_h=212.110.251.3,
resp_p=59665/tcp], orig=[size=0, state=0, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], resp=[size=0, state=0,
num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
start_time=1311220077.46094, duration=0.0, service={
}, addl=, hot=0, history=H, uid=hrTdn4R7Yq9, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]', addl = '')
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Builtin Function called: network_time()
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Function return: 1311220077.46153
1311220077.461532 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
function called: id_string(id = '[orig_h=161.53.178.240, orig_p=6667/tcp,
resp_h=212.110.251.3, resp_p=59665/tcp]')
1311220077.461532 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Builtin Function called: fmt(va_args = '%s:%d > %s:%d', vararg0 =
'161.53.178.240', vararg1 = '6667/tcp', vararg2 = '212.110.251.3', vararg3
= '59665/tcp')
1311220077.461532 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 161.53.178.240:6667 > 212.110.251.3:59665
1311220077.461532 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 161.53.178.240:6667 > 212.110.251.3:59665
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:359
function called: Weird::report_weird_conn(t = '1311220077.46153', name =
'connection_originator_SYN_ack', id = '161.53.178.240:6667 >
212.110.251.3:59665', addl = '', c = '[id=[orig_h=161.53.178.240,
orig_p=6667/tcp, resp_h=212.110.251.3, resp_p=59665/tcp], orig=[size=0,
state=0, num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
resp=[size=0, state=0, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], start_time=1311220077.46094, duration=0.0,
service={
}, addl=, hot=0, history=H, uid=hrTdn4R7Yq9, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]')
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:310
function called: Weird::report_weird(t = '1311220077.46153', name =
'connection_originator_SYN_ack', id = '161.53.178.240:6667 >
212.110.251.3:59665', have_conn = 'T', addl = '', action = 'WEIRD_FILE',
no_log = 'F')
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
function called: Log::write(id = 'WEIRD', columns = '[ts=1311220077.46153,
uid=hrTdn4R7Yq9, id=[orig_h=161.53.178.240, orig_p=6667/tcp,
resp_h=212.110.251.3, resp_p=59665/tcp],
msg=connection_originator_SYN_ack, addl=<uninitialized>, notice=F]')
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Builtin Function called: Log::__write(id = 'WEIRD', columns =
'[ts=1311220077.46153, uid=hrTdn4R7Yq9, id=[orig_h=161.53.178.240,
orig_p=6667/tcp, resp_h=212.110.251.3, resp_p=59665/tcp],
msg=connection_originator_SYN_ack, addl=<uninitialized>, notice=F]')
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.461532
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.462050 /home/gilbert/Code/bro/build/src/event.bif.bro:67
event called: protocol_confirmation(c = '[id=[orig_h=212.110.251.3,
orig_p=52895/tcp, resp_h=64.18.128.86, resp_p=6667/tcp], orig=[size=38,
state=3, num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
resp=[size=0, state=0, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], start_time=1311220077.46205, duration=0.0,
service={
}, addl=, hot=0, history=D, uid=Y6rpTW6Rgeg, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]', atype = '19', aid = '8963')
1311220077.462050 /home/gilbert/Code/bro/build/src/event.bif.bro:104
event called: conn_weird(name = 'irc_line_too_short', c =
'[id=[orig_h=212.110.251.3, orig_p=52895/tcp, resp_h=64.18.128.86,
resp_p=6667/tcp], orig=[size=38, state=3, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], resp=[size=0, state=0,
num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
start_time=1311220077.46205, duration=0.0, service={
}, addl=, hot=0, history=D, uid=Y6rpTW6Rgeg, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]', addl = '')
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Builtin Function called: network_time()
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:384
Function return: 1311220077.46205
1311220077.462050 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
function called: id_string(id = '[orig_h=212.110.251.3, orig_p=52895/tcp,
resp_h=64.18.128.86, resp_p=6667/tcp]')
1311220077.462050 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Builtin Function called: fmt(va_args = '%s:%d > %s:%d', vararg0 =
'212.110.251.3', vararg1 = '52895/tcp', vararg2 = '64.18.128.86', vararg3
= '6667/tcp')
1311220077.462050 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 212.110.251.3:52895 > 64.18.128.86:6667
1311220077.462050 /home/gilbert/Code/bro/policy/utils/conn-ids.bro:23
Function return: 212.110.251.3:52895 > 64.18.128.86:6667
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:359
function called: Weird::report_weird_conn(t = '1311220077.46205', name =
'irc_line_too_short', id = '212.110.251.3:52895 > 64.18.128.86:6667', addl
= '', c = '[id=[orig_h=212.110.251.3, orig_p=52895/tcp,
resp_h=64.18.128.86, resp_p=6667/tcp], orig=[size=38, state=3,
num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>], resp=[size=0,
state=0, num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
start_time=1311220077.46205, duration=0.0, service={
}, addl=, hot=0, history=D, uid=Y6rpTW6Rgeg, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]')
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/notice/weird.bro:310
function called: Weird::report_weird(t = '1311220077.46205', name =
'irc_line_too_short', id = '212.110.251.3:52895 > 64.18.128.86:6667',
have_conn = 'T', addl = '', action = 'WEIRD_FILE', no_log = 'F')
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
function called: Log::write(id = 'WEIRD', columns = '[ts=1311220077.46205,
uid=Y6rpTW6Rgeg, id=[orig_h=212.110.251.3, orig_p=52895/tcp,
resp_h=64.18.128.86, resp_p=6667/tcp], msg=irc_line_too_short,
addl=<uninitialized>, notice=F]')
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Builtin Function called: Log::__write(id = 'WEIRD', columns =
'[ts=1311220077.46205, uid=Y6rpTW6Rgeg, id=[orig_h=212.110.251.3,
orig_p=52895/tcp, resp_h=64.18.128.86, resp_p=6667/tcp],
msg=irc_line_too_short, addl=<uninitialized>, notice=F]')
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.462050
/home/gilbert/Code/bro/policy/frameworks/logging/base.bro:188
Function return: T
1311220077.462050 /home/gilbert/Code/bro/build/src/event.bif.bro:611
event called: irc_nick_message(c = '[id=[orig_h=212.110.251.3,
orig_p=52895/tcp, resp_h=64.18.128.86, resp_p=6667/tcp], orig=[size=38,
state=3, num_pkts=<uninitialized>, num_bytes_ip=<uninitialized>],
resp=[size=0, state=0, num_pkts=<uninitialized>,
num_bytes_ip=<uninitialized>], start_time=1311220077.46205, duration=0.0,
service={
}, addl=, hot=0, history=D, uid=Y6rpTW6Rgeg, conn=<uninitialized>,
extract_orig=F, extract_resp=F, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, mime=<uninitialized>,
mime_state=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>,
syslog=<uninitialized>]', who = 'T', newnick = '', vararg0 = 'Trance')
}}}
Also, gdb stack trace:
{{{
(gdb) bt
#0 0x081ae57f in Unref (o=0x1b9) at /home/gilbert/Code/bro-
baseline/src/Obj.h:215
#1 0x0827fc24 in Frame::SetElement (this=0xac64360, n=3, v=0xac60da0) at
/home/gilbert/Code/bro-baseline/src/Frame.h:25
#2 0x08288796 in BroFunc::Call (this=0x920b258, args=0xac60ec8,
parent=0x0) at /home/gilbert/Code/bro-baseline/src/Func.cc:304
#3 0x08251d33 in EventHandler::Call (this=0x91363c0, vl=0xac60ec8,
no_remote=false) at /home/gilbert/Code/bro-baseline/src/EventHandler.cc:73
#4 0x081fd6c9 in Event::Dispatch (this=0xac63e08, no_remote=false) at
/home/gilbert/Code/bro-baseline/src/Event.h:46
#5 0x08251594 in EventMgr::Dispatch (this=0x8471da0) at
/home/gilbert/Code/bro-baseline/src/Event.cc:107
#6 0x082515ef in EventMgr::Drain (this=0x8471da0) at /home/gilbert/Code
/bro-baseline/src/Event.cc:119
#7 0x082e16f1 in net_packet_dispatch (t=1311220077.46205, hdr=0x9a15c58,
pkt=0x9a16148 "", hdr_size=14, src_ps=0x9a15c20, pkt_elem=0x0)
at /home/gilbert/Code/bro-baseline/src/Net.cc:354
#8 0x082e1912 in net_packet_arrival (t=1311220077.46205, hdr=0x9a15c58,
pkt=0x9a16148 "", hdr_size=14, src_ps=0x9a15c20)
at /home/gilbert/Code/bro-baseline/src/Net.cc:416
#9 0x082f2433 in PktSrc::Process (this=0x9a15c20) at /home/gilbert/Code
/bro-baseline/src/PktSrc.cc:275
#10 0x082e1a33 in net_run () at /home/gilbert/Code/bro-
baseline/src/Net.cc:446
#11 0x081fcf5e in main (argc=8, argv=0xbf90af14) at /home/gilbert/Code
/bro-baseline/src/main.cc:997
}}}
This crash was triggered by replaying a trace through a local TAP device;
Bro was listening on the TAP device and processing the replayed packets.
The address passed to Unref() appears to be invalid.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/505>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list