[Bro] Segmentation fault at Off-line test

Vern Paxson vern at icir.org
Sun Dec 12 16:33:00 PST 2004


>  When I tried to test Bro in off-line with TCP dump file, I met
> segmentation falut error.
> 
>  The tcpdump was captured using "Targa2.c" with all supported attacks.

While I couldn't reproduce the crash using the trace you subsequently sent
me, the heavy use of fragments makes me suspect it's the same fragment bug
that I fixed a few days ago (and will be included in the next release).
I've attached diffs for it in case you want to try directly.  Note that
for the trace you sent me, Bro takes a *long* time to process it, since
every packet in it generates multiple events.  Fixing this sort of performance
problem is clearly important and on our radar, but it can be quite hard,
so it will remain an issue.

		Vern


Index: Frag.cc
===================================================================
RCS file: /home/portnoy/u2/src/projects/bro/src/Frag.cc,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -u -r1.1 -r1.2
--- Frag.cc	14 Jul 2004 20:15:40 -0000	1.1
+++ Frag.cc	10 Dec 2004 18:19:47 -0000	1.2
@@ -1,4 +1,4 @@
-// $Id: Frag.cc,v 1.1 2004/07/14 20:15:40 jason Exp $
+// $Id: Frag.cc,v 1.2 2004/12/10 18:19:47 vern Exp $
 //
 // Copyright (c) 1998, 1999, 2001, 2002
 //      The Regents of the University of California.  All rights reserved.
@@ -161,10 +161,11 @@
 	if ( b->next )
 		{
 		// We have a hole.
-		if ( b->seq >= frag_size )
+		if ( b->upper >= frag_size )
 			{
 			IP_Hdr proto_h((const struct ip*) proto_hdr);
 			s->Weird("fragment_size_inconsistency", &proto_h);
+			frag_size = b->upper;
 			}
 		else
 			return;
@@ -174,6 +175,7 @@
 		{
 		IP_Hdr proto_h((const struct ip*) proto_hdr);
 		s->Weird("fragment_size_inconsistency", &proto_h);
+		frag_size = last_block->upper;
 		}
 
 	else if ( last_block->upper < frag_size )



More information about the Bro mailing list