Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in PcapDumper::Dump with existing file #693

Open
timwoj opened this issue Nov 21, 2019 · 0 comments
Open

Crash in PcapDumper::Dump with existing file #693

timwoj opened this issue Nov 21, 2019 · 0 comments

Comments

@timwoj
Copy link
Contributor

@timwoj timwoj commented Nov 21, 2019

There's a bit of a hack in PcapDumper::Dump when it comes to opening a file that already exists, where it assumes that pcap_dumper is actually a FILE, and just calls fopen on it. While the libpcap document says that this is normally true, it also warns that this is undefined behavior and that you shouldn't rely on it being true. I ran into a crash on macOS with libpcap 1.8.0 when trying to dump into an existing file. The backtrace from ASan looks like:

tim$ ASAN_OPTIONS=detect_container_overflow=0 zeek -B main-loop,pktio -b -r $TRACES/wikipedia.trace dump_current_packet.zeek 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==43888==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x7fff6cb01ba4 bp 0x7ffeeef74530 sp 0x7ffeeef74520 T0)
==43888==The signal is caused by a READ memory access.
==43888==Hint: address points to the zero page.
    #0 0x7fff6cb01ba3 in flockfile (libsystem_c.dylib:x86_64+0x38ba3)
    #1 0x7fff6cb04c4f in fwrite (libsystem_c.dylib:x86_64+0x3bc4f)
    #2 0x10a2d5837 in wrap_fwrite (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x21837)
    #3 0x7fff6b762d88 in pcap_dump (libpcap.A.dylib:x86_64+0x1bd88)
    #4 0x101aac355 in iosource::pcap::PcapDumper::Dump(Packet const*) Dumper.cc:113
    #5 0x1020b97ee in BifFunc::bro_dump_current_packet(Frame*, List<Val*>*) (zeek:x86_64+0x1014327ee)
    #6 0x102097cc4 in BuiltinFunc::Call(List<Val*>*, Frame*) const (zeek:x86_64+0x101410cc4)
    #7 0x102033945 in CallExpr::Eval(Frame*) const Expr.cc:4288
    #8 0x10230328b in ExprStmt::Exec(Frame*, stmt_flow_type&) const Stmt.cc:257
    #9 0x10231342e in StmtList::Exec(Frame*, stmt_flow_type&) const Stmt.cc:1464
    #10 0x1020932cf in BroFunc::Call(List<Val*>*, Frame*) const (zeek:x86_64+0x10140c2cf)
    #11 0x101fd27c9 in EventHandler::Call(List<Val*>*, bool) EventHandler.cc:117
    #12 0x101fcfbdd in Event::Dispatch(bool) Event.cc:66
    #13 0x101fd0c22 in EventMgr::Drain() Event.cc:153
    #14 0x1021c43c0 in net_packet_dispatch(double, Packet const*, iosource::PktSrc*) (zeek:x86_64+0x10153d3c0)
    #15 0x100e25fe1 in iosource::PktSrc::Process() (zeek:x86_64+0x10019efe1)
    #16 0x1021c4d22 in net_run() (zeek:x86_64+0x10153dd22)
    #17 0x101e697ed in main (zeek:x86_64+0x1011e27ed)
    #18 0x7fff6ca712e4 in start (libdyld.dylib:x86_64+0x112e4)

==43888==Register values:
rax = 0x0000000107599e6c  rbx = 0x0000000000000000  rcx = 0x0000000107599e6c  rdx = 0x0000000000000001  
rdi = 0x0000000000000000  rsi = 0x0000000000000010  rbp = 0x00007ffeeef74530  rsp = 0x00007ffeeef74520  
 r8 = 0x0000100000000000   r9 = 0xffffe00022211600  r10 = 0x000000010756c498  r11 = 0x00007fff6cb04c0e  
r12 = 0x0000000000000010  r13 = 0x0000000000000000  r14 = 0x0000000000000023  r15 = 0x0000000000000000  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_c.dylib:x86_64+0x38ba3) in flockfile

Libpcap versions greater than 1.7.2 provide a pcap_dump_open_append method for exactly this purpose. Unfortunately at least one of our supported platforms (debian 8) doesn't provide this new of a libpcap. This issue is just to document that this crash can happen, and that we should fix it once these older platforms are EOL and we can ensure a newer version of libpcap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.