Date: Mon, 16 Jan 2006 09:30:06 -0800 From: Sam Leffler <sam@errno.com> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: current@freebsd.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: malloc bugs with tcpdump Message-ID: <43CBD81E.80006@errno.com> In-Reply-To: <20060116135928.GB28974@flame.pc> References: <20060116013722.GA29139@xor.obsecurity.org> <20060116135928.GB28974@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------030808030707030103000704
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Giorgos Keramidas wrote:
> On 2006-01-15 20:37, Kris Kennaway <kris@obsecurity.org> wrote:
>
>># tcpdump -i bge0 proto ipv6
>>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes
>>
>>^C
>>0 packets captured
>>2529 packets received by filter
>>0 packets dropped by kernel
>>tcpdump: (malloc) Corrupted redzone 1 byte after 0x8020002e0 (size 5) (0x0)
>>tcpdump: (malloc) Corrupted redzone 2 bytes after 0x8020002e0 (size 5) (0x0)
>>tcpdump: (malloc) Corrupted redzone 3 bytes after 0x8020002e0 (size 5) (0x0)
>>#
>
>
> I can repeat this even without the "proto ipv6" filter. The backtrace
> of tcpdump isn't very useful by the time abort() is called:
>
> (gdb) bt
> #0 0x0000000800ae687c in kill () at kill.S:2
> #1 0x0000000800ae570d in abort () at /home/build/src/lib/libc/stdlib/abort.c:69
> #2 0x0000000800a83e79 in idalloc (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:3385
> #3 0x0000000800a8849b in free (ptr=0x8020002e0) at /home/build/src/lib/libc/stdlib/malloc.c:4728
> #4 0x00000008006c0505 in pcap_close (p=0x802000070) at /home/build/src/lib/libpcap/../../contrib/libpcap/pcap.c:785
> #5 0x0000000000445790 in main (argc=-6632, argv=0x444a50)
> at /home/build/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/tcpdump.c:1067
> (gdb)
>
> Is there any way to capture tcpdump within gdb while it's modifying the
> allocated area?
I sent the attached patch upstream to the tcpdump folks. Once I hear
back I'll commit it.
Sam
--------------030808030707030103000704
Content-Type: text/plain;
name="pcap-bpf.c.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pcap-bpf.c.patch"
Index: pcap-bpf.c
===================================================================
RCS file: /usr/ncvs/src/contrib/libpcap/pcap-bpf.c,v
retrieving revision 1.1.1.10
diff -u -r1.1.1.10 pcap-bpf.c
--- pcap-bpf.c 11 Jul 2005 03:24:42 -0000 1.1.1.10
+++ pcap-bpf.c 16 Jan 2006 05:48:49 -0000
@@ -746,7 +746,7 @@
u_int i;
int is_ethernet;
- bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * bdl.bfl_len + 1);
+ bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * (bdl.bfl_len + 1));
if (bdl.bfl_list == NULL) {
(void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
--------------030808030707030103000704--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43CBD81E.80006>