#29 bufferover flow crash

[Daniel Greenwald]

I am running the latest svn for TCP support, which seems to work! Got the following crash, let me know if you need anymore info:

freeswitch@ip-10-0-0-228> buffer overflow detected : ./pcapsipdump terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7f0b2b3be29f]
/lib/x86_64-linux-gnu/libc.so.6(fortify_fail+0x5c)[0x7f0b2b45983c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10d710)[0x7f0b2b458710]
./pcapsipdump[0x4039cc]
/lib/x86_64-linux-gnu/libc.so.6(libc_start_main+0xf5)[0x7f0b2b36cf45]
./pcapsipdump[0x404463]
======= Memory map: ========
00400000-0040d000 r-xp 00000000 ca:01 309122 /home/ubuntu/pcapsipdump-code/pcapsipdump
0060c000-0060d000 r--p 0000c000 ca:01 309122 /home/ubuntu/pcapsipdump-code/pcapsipdump
0060d000-0060e000 rw-p 0000d000 ca:01 309122 /home/ubuntu/pcapsipdump-code/pcapsipdump
0115b000-0117c000 rw-p 00000000 00:00 0 [heap]
7f0b2ae45000-7f0b2b045000 rw-s 00000000 00:07 276566 socket:[276566]
7f0b2b045000-7f0b2b14a000 r-xp 00000000 ca:01 401548 /lib/x86_64-linux-gnu/libm-2.19.so
7f0b2b14a000-7f0b2b349000 ---p 00105000 ca:01 401548 /lib/x86_64-linux-gnu/libm-2.19.so
7f0b2b349000-7f0b2b34a000 r--p 00104000 ca:01 401548 /lib/x86_64-linux-gnu/libm-2.19.so
7f0b2b34a000-7f0b2b34b000 rw-p 00105000 ca:01 401548 /lib/x86_64-linux-gnu/libm-2.19.so
7f0b2b34b000-7f0b2b509000 r-xp 00000000 ca:01 401550 /lib/x86_64-linux-gnu/libc-2.19.so
7f0b2b509000-7f0b2b709000 ---p 001be000 ca:01 401550 /lib/x86_64-linux-gnu/libc-2.19.so
7f0b2b709000-7f0b2b70d000 r--p 001be000 ca:01 401550 /lib/x86_64-linux-gnu/libc-2.19.so
7f0b2b70d000-7f0b2b70f000 rw-p 001c2000 ca:01 401550 /lib/x86_64-linux-gnu/libc-2.19.so
7f0b2b70f000-7f0b2b714000 rw-p 00000000 00:00 0
7f0b2b714000-7f0b2b72a000 r-xp 00000000 ca:01 396062 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b72a000-7f0b2b929000 ---p 00016000 ca:01 396062 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b929000-7f0b2b92a000 rw-p 00015000 ca:01 396062 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b92a000-7f0b2b937000 r-xp 00000000 ca:01 396046 /lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2b937000-7f0b2bb36000 ---p 0000d000 ca:01 396046 /lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb36000-7f0b2bb37000 r--p 0000c000 ca:01 396046 /lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb37000-7f0b2bb38000 rw-p 0000d000 ca:01 396046 /lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb38000-7f0b2bb39000 rw-p 00000000 00:00 0
7f0b2bb39000-7f0b2bc1f000 r-xp 00000000 ca:01 8135 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2bc1f000-7f0b2be1e000 ---p 000e6000 ca:01 8135 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be1e000-7f0b2be26000 r--p 000e5000 ca:01 8135 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be26000-7f0b2be28000 rw-p 000ed000 ca:01 8135 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be28000-7f0b2be3d000 rw-p 00000000 00:00 0
7f0b2be3d000-7f0b2be78000 r-xp 00000000 ca:01 8121 /usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2be78000-7f0b2c077000 ---p 0003b000 ca:01 8121 /usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c077000-7f0b2c079000 r--p 0003a000 ca:01 8121 /usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c079000-7f0b2c07a000 rw-p 0003c000 ca:01 8121 /usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c07a000-7f0b2c07b000 rw-p 00000000 00:00 0
7f0b2c07b000-7f0b2c09e000 r-xp 00000000 ca:01 401558 /lib/x86_64-linux-gnu/ld-2.19.so
7f0b2c28c000-7f0b2c292000 rw-p 00000000 00:00 0
7f0b2c299000-7f0b2c29a000 rw-p 00000000 00:00 0
7f0b2c29a000-7f0b2c29d000 rw-p 00000000 00:00 0
7f0b2c29d000-7f0b2c29e000 r--p 00022000 ca:01 401558 /lib/x86_64-linux-gnu/ld-2.19.so
7f0b2c29e000-7f0b2c29f000 rw-p 00023000 ca:01 401558 /lib/x86_64-linux-gnu/ld-2.19.so
7f0b2c29f000-7f0b2c2a0000 rw-p 00000000 00:00 0
7ffe522f3000-7ffe52314000 rw-p 00000000 00:00 0 [stack]
7ffe523f5000-7ffe523f7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

[Daniel Greenwald]

Thank you for your response. I am running it this way now. If crashes I
will let you know. I'm using it for live capturing.

On Wed, Jun 28, 2017 at 7:03 PM, Aex Aey aexaey@users.sf.net wrote:

• status: open --> pending-accepted
• assigned_to: Aex Aey
• Comment:

This backtrace doesn't look terribly useful: everything is in libc, plus
pcapsipdump uses a bit unconventional architecture where bulk of processing
is in main() - this makes backtrace even less likely to be useful.

Is there any chance you can build a debug-enabled binary?

make CXXFLAGS=-DUSE_TCP=1 pcapsipdump-debug

...then run it under gdb (adjust "set args" as needed, make sure "-f"
option is present):

gdb pcapsipdump-debug
set args -f -d . -r myfile.pcap
run

...and finally, when it crashes, make gdb display stack, local variables,
and first 60 bytes of current packet:

bt
info locals
print (char[60])*header_ip

---

• [bugs:#29] https://sourceforge.net/p/pcapsipdump/bugs/29/ bufferover
  flow crash*

Status: pending-accepted
Group: 0.2
Created: Wed Jun 28, 2017 08:36 PM UTC by Daniel Greenwald
Last Updated: Wed Jun 28, 2017 08:36 PM UTC
Owner: Aex Aey

I am running the latest svn for TCP support, which seems to work! Got the
following crash, let me know if you need anymore info:

freeswitch@ip-10-0-0-228> * buffer overflow detected *: ./pcapsipdump
terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7f0b2b3be29f]
/lib/x86_64-linux-gnu/libc.so.6(

fortify_fail+0x5c)[0x7f0b2b45983c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10d710)[0x7f0b2b458710]
./pcapsipdump[0x4039cc] /lib/x86_64-linux-gnu/libc.so.6(
libc_start_main+0xf5)[0x7f0b2b36cf45]
./pcapsipdump[0x404463]
======= Memory map: ========
00400000-0040d000 r-xp 00000000 ca:01 309122 /home/ubuntu/pcapsipdump-code/
pcapsipdump
0060c000-0060d000 r--p 0000c000 ca:01 309122 /home/ubuntu/pcapsipdump-code/
pcapsipdump
0060d000-0060e000 rw-p 0000d000 ca:01 309122 /home/ubuntu/pcapsipdump-code/
pcapsipdump
0115b000-0117c000 rw-p 00000000 00:00 0 [heap]
7f0b2ae45000-7f0b2b045000 rw-s 00000000 00:07 276566 socket:[276566]
7f0b2b045000-7f0b2b14a000 r-xp 00000000 ca:01 401548 /lib/x86_64-linux-gnu/
libm-2.19.so
7f0b2b14a000-7f0b2b349000 ---p 00105000 ca:01 401548 /lib/x86_64-linux-gnu/
libm-2.19.so
7f0b2b349000-7f0b2b34a000 r--p 00104000 ca:01 401548 /lib/x86_64-linux-gnu/
libm-2.19.so
7f0b2b34a000-7f0b2b34b000 rw-p 00105000 ca:01 401548 /lib/x86_64-linux-gnu/
libm-2.19.so
7f0b2b34b000-7f0b2b509000 r-xp 00000000 ca:01 401550 /lib/x86_64-linux-gnu/
libc-2.19.so
7f0b2b509000-7f0b2b709000 ---p 001be000 ca:01 401550 /lib/x86_64-linux-gnu/
libc-2.19.so
7f0b2b709000-7f0b2b70d000 r--p 001be000 ca:01 401550 /lib/x86_64-linux-gnu/
libc-2.19.so
7f0b2b70d000-7f0b2b70f000 rw-p 001c2000 ca:01 401550 /lib/x86_64-linux-gnu/
libc-2.19.so
7f0b2b70f000-7f0b2b714000 rw-p 00000000 00:00 0
7f0b2b714000-7f0b2b72a000 r-xp 00000000 ca:01 396062
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b72a000-7f0b2b929000 ---p 00016000 ca:01 396062
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b929000-7f0b2b92a000 rw-p 00015000 ca:01 396062
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f0b2b92a000-7f0b2b937000 r-xp 00000000 ca:01 396046
/lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2b937000-7f0b2bb36000 ---p 0000d000 ca:01 396046
/lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb36000-7f0b2bb37000 r--p 0000c000 ca:01 396046
/lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb37000-7f0b2bb38000 rw-p 0000d000 ca:01 396046
/lib/x86_64-linux-gnu/libbsd.so.0.6.0
7f0b2bb38000-7f0b2bb39000 rw-p 00000000 00:00 0
7f0b2bb39000-7f0b2bc1f000 r-xp 00000000 ca:01 8135
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2bc1f000-7f0b2be1e000 ---p 000e6000 ca:01 8135
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be1e000-7f0b2be26000 r--p 000e5000 ca:01 8135
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be26000-7f0b2be28000 rw-p 000ed000 ca:01 8135
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
7f0b2be28000-7f0b2be3d000 rw-p 00000000 00:00 0
7f0b2be3d000-7f0b2be78000 r-xp 00000000 ca:01 8121
/usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2be78000-7f0b2c077000 ---p 0003b000 ca:01 8121
/usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c077000-7f0b2c079000 r--p 0003a000 ca:01 8121
/usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c079000-7f0b2c07a000 rw-p 0003c000 ca:01 8121
/usr/lib/x86_64-linux-gnu/libpcap.so.1.5.3
7f0b2c07a000-7f0b2c07b000 rw-p 00000000 00:00 0
7f0b2c07b000-7f0b2c09e000 r-xp 00000000 ca:01 401558 /lib/x86_64-linux-gnu/
ld-2.19.so
7f0b2c28c000-7f0b2c292000 rw-p 00000000 00:00 0
7f0b2c299000-7f0b2c29a000 rw-p 00000000 00:00 0
7f0b2c29a000-7f0b2c29d000 rw-p 00000000 00:00 0
7f0b2c29d000-7f0b2c29e000 r--p 00022000 ca:01 401558 /lib/x86_64-linux-gnu/
ld-2.19.so
7f0b2c29e000-7f0b2c29f000 rw-p 00023000 ca:01 401558 /lib/x86_64-linux-gnu/
ld-2.19.so
7f0b2c29f000-7f0b2c2a0000 rw-p 00000000 00:00 0
7ffe522f3000-7ffe52314000 rw-p 00000000 00:00 0 [stack]
7ffe523f5000-7ffe523f7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/pcapsipdump/bugs/29/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Aex Aey]

This backtrace doesn't look terribly useful: everything is in libc, plus pcapsipdump uses a bit unconventional architecture where bulk of processing is in main() - this makes backtrace even less likely to be useful.

Is there any chance you can build a debug-enabled binary?

make CXXFLAGS=-DUSE_TCP=1 pcapsipdump-debug

...then run it under gdb (adjust "set args" as needed, make sure "-f" option is present):

gdb pcapsipdump-debug
set args -f -d . -r myfile.pcap
run

...and finally, when it crashes, make gdb display stack, local variables, and first 60 bytes of current packet:

bt
info locals
print (char[60])*header_ip