Re: tcpdump segfaults on enc0 interface

Otto Moerbeek Mon, 28 May 2007 12:13:11 -0700

On Mon, 28 May 2007, Jurjen Oskam wrote:

> On Mon, May 28, 2007 at 09:12:58AM +0100, Stuart Henderson wrote:
> 
> > the bug is probably in a protocol decoder, in which case you'd still
> > be able to write the network data to disk; a copy of this may help
> > someone locate the problem (tcpdump -ienc0 -w file)
> 
> Thanks for your suggestions (also the one about "-s 1500")!
> 
> This is what I found:
> 
> - When adding "-s 1500" to the parameters, no segfault occurs. (Output at
>   http://www.stupendous.org/enc0-s1500.log)
> 
> - When running under gdb, I get the following:
> 
>       [snip (using args "-npienc0")]
> 19:19:07.584092 (authentic,confidential): SPI 0x66436c81: 194.109.21.66.52091 
> > 192.168.2.12.8381: . 419725:420249(524) ack 1 win 46 <nop,nop,timestamp 
> 3760582140 454451604> (DF) [tos 0x8] (encap)
> 19:19:07.585631 (authentic,confidential): SPI 0x66436c81: 194.109.21.66.52091 
> > 192.168.2.12.8381: . 419201:419725(524) ack 1 win 46 <nop,nop,timestamp 
> 3760582140 454451604> (DF) [tos 0x8] (encap)
> 19:19:07.585825 (authentic,confidential): SPI 0x5d5feb70: 192.168.2.12.8381 > 
> 194.109.21.66.52091: . ack 413437 win 15860 <nop,nop,timestamp 454451604 
> 3760582120> (DF) [tos 0x8] (encap)
> 19:19:07.587079 (authentic,confidential): SPI 0x66436c81: 194.109.21.66.52091 
> > 192.168.2.12.8381: . 420249:420773(524) ack 1 win 46 <nop,nop,timestamp 
> 3760582140 454451604> (DF) [tos 0x8] (encap)
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000004227e809 in memcpy (dst0=0x4f052080, src0=0x42aaf003, length=0) at 
> /usr/src/lib/libc/string/bcopy.c:115
> 115                             TLOOP1(*--dst = *--src);
> (gdb) bt
> #0  0x000000004227e809 in memcpy (dst0=0x4f052080, src0=0x42aaf003, length=0) 
> at /usr/src/lib/libc/string/bcopy.c:115
> #1  0x0000000000408259 in ip_print (bp=0x42aaefa4 "[EMAIL PROTECTED]@", 
> length=576) at /usr/src/usr.sbin/tcpdump/print-ip.c:382
> #2  0x0000000000408722 in ip_print (bp=0x14 <Address 0x14 out of bounds>, 
> length=16384) at /usr/src/usr.sbin/tcpdump/print-ip.c:471
> #3  0x000000000041d49c in enc_if_print (user=0x4f052080 "[EMAIL 
> PROTECTED]'@", h=0x4f052080, p=0x42aaef90 "E\b\002T<\030@")
>     at /usr/src/usr.sbin/tcpdump/print-enc.c:99
> #4  0x000000004c191d64 in pcap_read (p=0x49817200, cnt=-1, callback=0x41d3c0 
> <enc_if_print>, user=0x0)
>     at /usr/src/lib/libpcap/pcap-bpf.c:154
> #5  0x000000004c19257b in pcap_loop (p=0x49817200, cnt=-1, callback=0x41d3c0 
> <enc_if_print>, user=0x0)
>     at /usr/src/lib/libpcap/pcap.c:76
> #6  0x0000000000403276 in main (argc=2, argv=0x41d3c0) at 
> /usr/src/usr.sbin/tcpdump/tcpdump.c:485
> (gdb)
> 
> I made the resulting file of "tcpdump -p -ienc0 -w enc0.dump" available at
> http://www.stupendous.org/enc0.dump.
> 
> Should I file a bugreport?


I'm trying to reproduce here using your dump file, but it's running fine....
Can you reproduce the problem with the dump file?

You stack trace does look weird, though. It hits a case that should
not happen in print-ip.c line 382.

        -Otto

Re: tcpdump segfaults on enc0 interface

Reply via email to