Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Jan 2006 15:59:28 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        current@FreeBSD.org
Subject:   Re: malloc bugs with tcpdump
Message-ID:  <20060116135928.GB28974@flame.pc>
In-Reply-To: <20060116013722.GA29139@xor.obsecurity.org>
References:  <20060116013722.GA29139@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-01-15 20:37, Kris Kennaway <kris@obsecurity.org> wrote:
> # tcpdump -i bge0 proto ipv6
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> ^C
> 0 packets captured
> 2529 packets received by filter
> 0 packets dropped by kernel
> tcpdump: (malloc) Corrupted redzone 1 byte after 0x8020002e0 (size 5) (0x0)
> tcpdump: (malloc) Corrupted redzone 2 bytes after 0x8020002e0 (size 5) (0x0)
> tcpdump: (malloc) Corrupted redzone 3 bytes after 0x8020002e0 (size 5) (0x0)
> #

I can repeat this even without the "proto ipv6" filter.  The backtrace
of tcpdump isn't very useful by the time abort() is called:

(gdb) bt
#0  0x0000000800ae687c in kill () at kill.S:2
#1  0x0000000800ae570d in abort () at /home/build/src/lib/libc/stdlib/abort.c:69
#2  0x0000000800a83e79 in idalloc (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:3385
#3  0x0000000800a8849b in free (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:4728
#4  0x00000008006c0505 in pcap_close (p=0x802000070) at /home/build/src/lib/libpcap/../../contrib/libpcap/pcap.c:785
#5  0x0000000000445790 in main (argc=-6632, argv=0x444a50)
    at /home/build/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1067
(gdb)

Is there any way to capture tcpdump within gdb while it's modifying the
allocated area?




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116135928.GB28974>