From owner-freebsd-current@FreeBSD.ORG Mon Jan 16 13:59:31 2006 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C59B16A41F for ; Mon, 16 Jan 2006 13:59:31 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCDF143D46 for ; Mon, 16 Jan 2006 13:59:30 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by aiolos.otenet.gr (8.13.4/8.13.4/Debian-8) with SMTP id k0GDxT21028114; Mon, 16 Jan 2006 15:59:29 +0200 Received: by flame.pc (Postfix, from userid 1001) id 7C9D211712; Mon, 16 Jan 2006 15:59:28 +0200 (EET) Date: Mon, 16 Jan 2006 15:59:28 +0200 From: Giorgos Keramidas To: Kris Kennaway Message-ID: <20060116135928.GB28974@flame.pc> References: <20060116013722.GA29139@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060116013722.GA29139@xor.obsecurity.org> Cc: current@FreeBSD.org Subject: Re: malloc bugs with tcpdump X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 13:59:31 -0000 On 2006-01-15 20:37, Kris Kennaway wrote: > # tcpdump -i bge0 proto ipv6 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes > > ^C > 0 packets captured > 2529 packets received by filter > 0 packets dropped by kernel > tcpdump: (malloc) Corrupted redzone 1 byte after 0x8020002e0 (size 5) (0x0) > tcpdump: (malloc) Corrupted redzone 2 bytes after 0x8020002e0 (size 5) (0x0) > tcpdump: (malloc) Corrupted redzone 3 bytes after 0x8020002e0 (size 5) (0x0) > # I can repeat this even without the "proto ipv6" filter. The backtrace of tcpdump isn't very useful by the time abort() is called: (gdb) bt #0 0x0000000800ae687c in kill () at kill.S:2 #1 0x0000000800ae570d in abort () at /home/build/src/lib/libc/stdlib/abort.c:69 #2 0x0000000800a83e79 in idalloc (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:3385 #3 0x0000000800a8849b in free (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:4728 #4 0x00000008006c0505 in pcap_close (p=0x802000070) at /home/build/src/lib/libpcap/../../contrib/libpcap/pcap.c:785 #5 0x0000000000445790 in main (argc=-6632, argv=0x444a50) at /home/build/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1067 (gdb) Is there any way to capture tcpdump within gdb while it's modifying the allocated area?