From owner-freebsd-current@FreeBSD.ORG Mon Jan 16 17:28:32 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE30816A41F for ; Mon, 16 Jan 2006 17:28:32 +0000 (GMT) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65EA943D5A for ; Mon, 16 Jan 2006 17:28:32 +0000 (GMT) (envelope-from sam@errno.com) Received: from [10.0.0.248] (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id k0GHSPo7004312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Jan 2006 09:28:27 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <43CBD81E.80006@errno.com> Date: Mon, 16 Jan 2006 09:30:06 -0800 From: Sam Leffler User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051227) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <20060116013722.GA29139@xor.obsecurity.org> <20060116135928.GB28974@flame.pc> In-Reply-To: <20060116135928.GB28974@flame.pc> Content-Type: multipart/mixed; boundary="------------030808030707030103000704" Cc: current@freebsd.org, Kris Kennaway Subject: Re: malloc bugs with tcpdump X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 17:28:33 -0000 This is a multi-part message in MIME format. --------------030808030707030103000704 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Giorgos Keramidas wrote: > On 2006-01-15 20:37, Kris Kennaway wrote: > >># tcpdump -i bge0 proto ipv6 >>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes >> >>^C >>0 packets captured >>2529 packets received by filter >>0 packets dropped by kernel >>tcpdump: (malloc) Corrupted redzone 1 byte after 0x8020002e0 (size 5) (0x0) >>tcpdump: (malloc) Corrupted redzone 2 bytes after 0x8020002e0 (size 5) (0x0) >>tcpdump: (malloc) Corrupted redzone 3 bytes after 0x8020002e0 (size 5) (0x0) >># > > > I can repeat this even without the "proto ipv6" filter. The backtrace > of tcpdump isn't very useful by the time abort() is called: > > (gdb) bt > #0 0x0000000800ae687c in kill () at kill.S:2 > #1 0x0000000800ae570d in abort () at /home/build/src/lib/libc/stdlib/abort.c:69 > #2 0x0000000800a83e79 in idalloc (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:3385 > #3 0x0000000800a8849b in free (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:4728 > #4 0x00000008006c0505 in pcap_close (p=0x802000070) at /home/build/src/lib/libpcap/../../contrib/libpcap/pcap.c:785 > #5 0x0000000000445790 in main (argc=-6632, argv=0x444a50) > at /home/build/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1067 > (gdb) > > Is there any way to capture tcpdump within gdb while it's modifying the > allocated area? I sent the attached patch upstream to the tcpdump folks. Once I hear back I'll commit it. Sam --------------030808030707030103000704 Content-Type: text/plain; name="pcap-bpf.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pcap-bpf.c.patch" Index: pcap-bpf.c =================================================================== RCS file: /usr/ncvs/src/contrib/libpcap/pcap-bpf.c,v retrieving revision 1.1.1.10 diff -u -r1.1.1.10 pcap-bpf.c --- pcap-bpf.c 11 Jul 2005 03:24:42 -0000 1.1.1.10 +++ pcap-bpf.c 16 Jan 2006 05:48:49 -0000 @@ -746,7 +746,7 @@ u_int i; int is_ethernet; - bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * bdl.bfl_len + 1); + bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * (bdl.bfl_len + 1)); if (bdl.bfl_list == NULL) { (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno)); --------------030808030707030103000704--