When parsing malformed pcap file, tcpflow crash with abort.

Question

When parsing malformed pcap file, tcpflow crash with abort.

xinali opened this issue 4 years ago · 4 comments

test on

ubuntu 16.04 x64
compile with clang-6.0

crash info

pwndbg> file ./src/tcpflow
Reading symbols from ./src/tcpflow...done.
pwndbg> r -r './build/output/master_tcpflow/crashes/id:000001,sig:06,src:000002,op:flip1,pos:30'                                                                             
Starting program: /home/tmp/tcpflow/src/tcpflow -r './build/output/master_tcpflow/crashes/id:000001,sig:06,src:000002,op:flip1,pos:30'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
reportfilename: ./report.xml
Invalid argument: futimes(fd=5)

Program received signal SIGABRT, Aborted.
0x00007ffff4b32428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0xb190e0 —▸ 0x5bf780 —▸ 0x5227b0 (tcpip::~tcpip()) ◂— lea    rsp, [rsp - 0x98]
 RCX  0xffffffffffffffff
 RDX  0x6
 RDI  0x1330f
 RSI  0x1330f
 R8   0x7ffff7fe38c0 ◂— 0x7ffff7fe38c0
 R9   0x20
 R10  0x8
 R11  0x206
 R12  0x810bc0 —▸ 0x5c0798 —▸ 0x53f210 (tcpdemux::~tcpdemux()) ◂— lea    rsp, [rsp - 0x98]
 R13  0x810bc0 —▸ 0x5c0798 —▸ 0x53f210 (tcpdemux::~tcpdemux()) ◂— lea    rsp, [rsp - 0x98]
 R14  0x7ffff4ec2540 (_IO_2_1_stderr_) ◂— 0xfbad2887
 R15  0x7fffffffd848 —▸ 0x7ffff597ce60 —▸ 0x406a90 ◂— jmp    qword ptr [rip + 0x3d88c2]
 RBP  0x0
 RSP  0x7fffffffd518 —▸ 0x7ffff4b3402a (abort+362) ◂— mov    rdx, qword ptr fs:[0x10]
 RIP  0x7ffff4b32428 (raise+56) ◂— cmp    rax, -0x1000 /* 'H=' */
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────
 ► 0x7ffff4b32428 <raise+56>    cmp    rax, -0x1000
   0x7ffff4b3242e <raise+62>    ja     raise+96 <0x7ffff4b32450>
 
   0x7ffff4b32430 <raise+64>    ret    
 
   0x7ffff4b32432 <raise+66>    nop    word ptr [rax + rax]
   0x7ffff4b32438 <raise+72>    test   ecx, ecx
   0x7ffff4b3243a <raise+74>    jg     raise+43 <0x7ffff4b3241b>
    ↓
   0x7ffff4b3241b <raise+43>    movsxd rdx, edi
   0x7ffff4b3241e <raise+46>    mov    eax, 0xea
   0x7ffff4b32423 <raise+51>    movsxd rdi, ecx
   0x7ffff4b32426 <raise+54>    syscall 
 ► 0x7ffff4b32428 <raise+56>    cmp    rax, -0x1000
──────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffd518 —▸ 0x7ffff4b3402a (abort+362) ◂— mov    rdx, qword ptr fs:[0x10]
01:0008│      0x7fffffffd520 ◂— 0x20 /* ' ' */
02:0010│      0x7fffffffd528 ◂— 0x0
... ↓
────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff4b32428 raise+56
   f 1     7ffff4b3402a abort+362
   f 2           522ee0 tcpip::open_file()
   f 3           537f30 tcpdemux::post_process(tcpip*)+624
   f 4           53aac4 tcpdemux::remove_all_flows()+356
   f 5           50f9c3 main+30803
   f 6     7ffff4b1d830 __libc_start_main+240
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGABRT
pwndbg> bt
#0  0x00007ffff4b32428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff4b3402a in __GI_abort () at abort.c:89
#2  0x0000000000522ee0 in tcpip::close_file (this=0xb190e0) at tcpip.cpp:140
#3  0x0000000000537f30 in tcpdemux::post_process (this=0x810bc0, tcp=0xb190e0) at tcpdemux.cpp:220
#4  0x000000000053aac4 in tcpdemux::remove_all_flows (this=0x810bc0) at tcpdemux.cpp:276
#5  0x000000000050f9c3 in main (argc=<optimized out>, argc@entry=3, argv=<optimized out>, argv@entry=0x7fffffffe268) at tcpflow.cpp:927
#6  0x00007ffff4b1d830 in __libc_start_main (main=0x508170 <main(int, char**)>, argc=3, argv=0x7fffffffe268, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe258) at ../csu/libc-start.c:291

Answer 1 · 2020-04-10T09:38:44.000Z

That's a great crash! Can you provide a file that causes the problem?

Answer 2 · 2020-04-10T09:45:07.000Z

@simsong Sure, can I send you a email with the crash file? email: simsong@acm.org ?

Answer 3 · 2020-04-10T11:09:26.000Z

Sure, that's fine. Thanks!

Answer 4 · 2020-04-15T02:09:40.000Z

Fixed in 470a9ca. Thanks!