[Bro] pcap_next Question

Mon May 21 10:32:43 PDT 2012

On Mon, May 21, 2012 at 12:48 PM, Siwek, Jonathan Luke
<jsiwek at illinois.edu> wrote:

> Do you have a stack trace you can send?  If pcap_next() were returning a bogus pointer, I don't think you'd see the call to it in the stack, you'd be at a later point in the code where it attempted to access it and crashes.  That is, if pcap_next() is in your stack trace, something bad is probably happening within the pcap library and the caller would never have the opportunity to check the return value.

I've attached a fairly recent backtrace from a core dump.

As you can see, the value being passed as pkt to net_packet_dispatch
triggers an "Address out of bounds" error.  PktSrc::Process calls
PktSrc::ExtractNextPacket which calls pcap_next.  The return value
from pcap_next sets the value for data, which PktSrc::Process
ultimately passes into net_packet_arrival as pkt.  So, either
pcap_next is returning an out of bounds pointer, or something happens
to data between the point in time when pcap_next returns a values and
PktSrc::Process calls net_packet_dispatch.

I've tried to identify what type of traffic might cause this to
happen, but unfortunately, nothing is jumping out at me.

Whatever it is, I don't think that data should be an out of bounds
address.  That's why I'm thinking that some preemptive error checking
may help.
-------------- next part --------------
Core was generated by `/usr/local/bro2/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'.
Program terminated with signal 6, Aborted.
(gdb) bt
#0  0x00007f56d94a9a75 in raise () from /lib/libc.so.6
#1  0x00007f56d94ad5c0 in abort () from /lib/libc.so.6
#2  0x00007f56d9d5f8c5 in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/libstdc++.so.6
#3  0x00007f56d9d5dcf6 in ?? () from /usr/lib/libstdc++.so.6
#4  0x00007f56d9d5dd23 in std::terminate() () from /usr/lib/libstdc++.so.6
#5  0x00007f56d9d5de1e in __cxa_throw () from /usr/lib/libstdc++.so.6
#6  0x00007f56d9d5e2ad in operator new(unsigned long) () from /usr/lib/libstdc++.so.6
#7  0x00007f56d9d5e369 in operator new[](unsigned long) () from /usr/lib/libstdc++.so.6
#8  0x000000000060cfec in DataBlock (this=0xbcd2180, data=0x156b <Address 0x156b out of bounds>, size=6, arg_seq=<value optimized out>, arg_prev=0xa, arg_next=0x7f56db24d720) at /path/to/bro/src/Reassem.cc:23
#9  0x000000000060d3f1 in Reassembler::NewBlock (this=0xabb1c50, t=<value optimized out>, seq=<value optimized out>, len=<value optimized out>, data=0x7f56d8b3a05c <Address 0x7f56d8b3a05c out of bounds>) at /path/to/bro/src/Reassem.cc:85
#10 0x000000000059b912 in FragReassembler (this=0xabb1c50, arg_s=<value optimized out>, ip=0x7fff30688760, pkt=0x7f56d8b3a058 <Address 0x7f56d8b3a058 out of bounds>, k=0x3baac90, t=<value optimized out>) at /path/to/bro/src/Frag.cc:63
#11 0x000000000063337e in NetSessions::NextFragment (this=0x33c5880, t=<value optimized out>, ip=0x7fff30688760, pkt=<value optimized out>) at /path/to/bro/src/Sessions.cc:733
#12 0x0000000000634581 in NetSessions::DoNextPacket (this=0x33c5880, t=<value optimized out>, hdr=0x338e7b0, ip_hdr=0x7fff30688760, pkt=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, hdr_size=<value optimized out>) at /path/to/bro/src/Sessions.cc:458
#13 0x00000000006362ca in NetSessions::NextPacket (this=0x33c5880, t=<value optimized out>, hdr=0x338e7b0, pkt=0x7f56d8b3a058 <Address 0x7f56d8b3a058 out of bounds>, hdr_size=0, pkt_elem=<value optimized out>) at /path/to/bro/src/Sessions.cc:279
#14 0x00000000005ef855 in net_packet_dispatch (t=<value optimized out>, hdr=0x338e7b0, pkt=0x7f56d8b3a058 <Address 0x7f56d8b3a058 out of bounds>, hdr_size=0, src_ps=0x338e770, pkt_elem=0x0) at /path/to/bro/src/Net.cc:352
#15 0x00000000005ff637 in PktSrc::Process (this=0x338e770) at /path/to/bro/src/PktSrc.cc:273
#16 0x00000000005efbbb in net_run () at /path/to/bro/src/Net.cc:445
#17 0x0000000000514aab in main (argc=<value optimized out>, argv=<value optimized out>) at /path/to/bro/src/main.cc:1034