[Bro] minor segfault in nb_dns.cc

Frank Meier franky.meier.1 at gmx.de
Thu Apr 23 03:40:18 PDT 2015 

Hi there!

While testing bro sniffing replayed PCAPs I noticed a case where it 
segfaults. 
Because of the uncommon network config this looks like a minor bug to 
me.

The segfault happens, if a nameserver is set in /etc/resolv.conf, but 
the network
of the nameserver is not reachable: 

$ cat /etc/resolv.conf 
nameserver 192.168.1.1
$ cat dns.bro 
event bro_init() {
	when ( local result = lookup_hostname("example.com") ) {
	}
}
$ bro -v
bro version 2.3-793
$ bro dns.bro
warning in /home/franky/bro-git/bro/scripts/base/init-bare.bro, line 1: 
problem initializing NB-DNS: connect(192.168.1.1): Network is 
unreachable
warning: can't issue DNS request
warning: can't issue DNS request
Segmentation fault (core dumped)

The segfault does not happen, if BRO_DNS_FAKE ist set to on or off:

$ BRO_DNS_FAKE=0 bro dns.bro
warning in /home/franky/bro-git/bro/scripts/base/init-bare.bro, line 1: 
problem initializing NB-DNS: connect(192.168.1.1): Network is 
unreachable
$ BRO_DNS_FAKE=1 bro dns.bro
warning in /home/franky/bro-git/bro/scripts/base/init-bare.bro, line 1: 
problem initializing NB-DNS: connect(192.168.1.1): Network is 
unreachable

Here is the backtrace:

$ gdb bro /tmp/core 
GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs
[...]
Core was generated by `bro dns.bro'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  nb_dns_fd (nd=0x0) at /home/franky/bro-git/bro/src/nb_dns.c:176
176		return (nd->s);
(gdb) bt
#0  nb_dns_fd (nd=0x0) at /home/franky/bro-git/bro/src/nb_dns.c:176
#1  0x0000000000567c1d in DNS_Mgr::AnswerAvailable (this=<optimized 
out>, timeout=0) at /home/franky/bro-git/bro/src/DNS_Mgr.cc:1425
#2  0x000000000056c24a in DNS_Mgr::DoProcess (this=0x15c1410, 
flush=false) at /home/franky/bro-git/bro/src/DNS_Mgr.cc:1382
#3  0x000000000056c420 in DNS_Mgr::Flush (this=0x15c1410) at 
/home/franky/bro-git/bro/src/DNS_Mgr.cc:1334
#4  0x0000000000540126 in done_with_network () at 
/home/franky/bro-git/bro/src/main.cc:316
#5  0x000000000051f679 in main (argc=<optimized out>, argv=<optimized 
out>) at /home/franky/bro-git/bro/src/main.cc:1216

A fix could be:

diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 11fd258..08f76df 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -1422,6 +1422,10 @@ void DNS_Mgr::DoProcess(bool flush)
 
 int DNS_Mgr::AnswerAvailable(int timeout)
        {
+       if (!nb_dns) {
+               reporter->Warning("nb_dns_fd() failed in 
DNS_Mgr::WaitForReplies");
+               return -1;
+       }
        int fd = nb_dns_fd(nb_dns);
        if ( fd < 0 )
                {

The segfault occurs with 2.3.2 and with a recent version from git 
(6fb4b522c6b3f2094a2f35761d3c4f7022bc4013)
(The current git from today does not compile).

I know it's not the usual use case for bro, but should I open a ticket 
about this? 

Franky





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150423/e4a0f04c/attachment.html

More information about the Bro mailing list