Bug#345296: nemesis: tcp Mode fails on amd64 (x86_64)

Fri, 30 Dec 2005 00:03:15 -0800 

Package: nemesis
Version: 1.32+1.4beta3-2
Severity: normal

On amd64 (x86_64) i have the following issue with the tcp Packet
injection:

spawn:~# nemesis tcp -v -y 1494 -S 1.1.1.1 -D 1.2.3.4      

TCP Packet Injection -=- The NEMESIS Project Version 1.4beta3 (Build 22)

                [IP] 1.1.1.1 > 1.2.3.4
             [IP ID] 41209
          [IP Proto] TCP (6)
            [IP TTL] 255
            [IP TOS] 00
    [IP Frag offset] 0000
     [IP Frag flags] 

         [TCP Ports] 24420 > 1494
         [TCP Flags] SYN 
[TCP Urgent Pointer] 0
   [TCP Window Size] 4096
    [TCP Seq number] 706971441

Wrote 40 byte TCP packet.
*** glibc detected *** free(): invalid next size (fast):
0x000000000051b050 ***
Aborted

A packet gets injected, but it seems the header get scrambled ...

On an i386 Box this command works flawless. Think it is an x86_64 Arch
issue only!

I attach a file with an strace of the command (see above).

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-skas3-v8.2
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages nemesis depends on:
ii  libc6                         2.3.5-9    GNU C Library: Shared libraries an
ii  libnet0                       1.0.2a-7   library for the construction and h

nemesis recommends no packages.

-- no debconf information

execve("/usr/bin/nemesis", ["nemesis", "tcp", "-v", "-y", "1494", "-S", 
"1.1.1.1", "-D", "1.2.3.4"], [/* 13 vars */]) = 0
uname({sys="Linux", node="spawn", ...}) = 0
brk(0)                                  = 0x51b000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aaaaaac2000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=75564, ...}) = 0
mmap(NULL, 75564, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaac3000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libnet.so.0", O_RDONLY)  = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0"..., 640) = 640
fstat(3, {st_mode=S_IFREG|0644, st_size=28048, ...}) = 0
mmap(NULL, 1076592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2aaaaabc3000
mprotect(0x2aaaaabc9000, 1052016, PROT_NONE) = 0
mmap(0x2aaaaacc8000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x2aaaaacc8000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320=\0\0"..., 640) = 640
fstat(3, {st_mode=S_IFREG|0644, st_size=543920, ...}) = 0
mmap(NULL, 1589704, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2aaaaacca000
mprotect(0x2aaaaad4e000, 1049032, PROT_NONE) = 0
mmap(0x2aaaaae4d000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x83000) = 0x2aaaaae4d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libresolv.so.2", O_RDONLY)   = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>[EMAIL PROTECTED]"..., 640) = 640
fstat(3, {st_mode=S_IFREG|0644, st_size=76600, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aaaaae4f000
mmap(NULL, 1133256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2aaaaae50000
mprotect(0x2aaaaae61000, 1063624, PROT_NONE) = 0
mmap(0x2aaaaaf61000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x2aaaaaf61000
mmap(0x2aaaaaf63000, 6856, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaf63000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libnsl.so.1", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 I\0\0\0"..., 640) = 640
fstat(3, {st_mode=S_IFREG|0644, st_size=86272, ...}) = 0
mmap(NULL, 1141488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2aaaaaf65000
mprotect(0x2aaaaaf79000, 1059568, PROT_NONE) = 0
mmap(0x2aaaab078000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13000) = 0x2aaaab078000
mmap(0x2aaaab07a000, 6896, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaab07a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\305"..., 640) = 640
lseek(3, 624, SEEK_SET)                 = 624
read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0"..., 32) = 32
fstat(3, {st_mode=S_IFREG|0755, st_size=1291512, ...}) = 0
mmap(NULL, 2350184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2aaaab07c000
mprotect(0x2aaaab19e000, 1162344, PROT_NONE) = 0
mmap(0x2aaaab29e000, 98304, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x122000) = 0x2aaaab29e000
mmap(0x2aaaab2b6000, 15464, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaab2b6000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aaaab2ba000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aaaab2bb000
mprotect(0x2aaaab29e000, 86016, PROT_READ) = 0
arch_prctl(ARCH_SET_FS, 0x2aaaab2bae60) = 0
munmap(0x2aaaaaac3000, 75564)           = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 4), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aaaaaac3000
write(1, "\n", 1)                       = 1
write(1, "TCP Packet Injection -=- The NEM"..., 73) = 73
write(1, "\n", 1)                       = 1
brk(0)                                  = 0x51b000
brk(0x53c000)                           = 0x53c000
write(1, "                [IP] 1.1.1.1 > 1"..., 39) = 39
write(1, "             [IP ID] 64523\n", 27) = 27
write(1, "          [IP Proto] TCP (6)\n", 29) = 29
write(1, "            [IP TTL] 255\n", 25) = 25
write(1, "            [IP TOS] 00\n", 24) = 24
write(1, "    [IP Frag offset] 0000\n", 26) = 26
write(1, "     [IP Frag flags] \n", 22) = 22
write(1, "\n", 1)                       = 1
write(1, "         [TCP Ports] 58440 > 149"..., 34) = 34
write(1, "         [TCP Flags] SYN \n", 26) = 26
write(1, "[TCP Urgent Pointer] 0\n", 23) = 23
write(1, "   [TCP Window Size] 4096\n", 26) = 26
write(1, "    [TCP Seq number] 555344538\n", 31) = 31
write(1, "\n", 1)                       = 1
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
setsockopt(3, SOL_IP, IP_HDRINCL, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [65535], 4) = 0
sendto(3, "E\0\0(\374\v\0\0\377\6\0\0\1\1\1\1\1\2\3\4\344H\5\326\0"..., 40, 0, 
{sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("1.2.3.4")}, 16) = 40
write(1, "Wrote 40 byte TCP packet.\n", 26) = 26
open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = 4
writev(4, [{"*** glibc detected *** ", 23}, {"free(): invalid next size 
(fast)", 32}, {": 0x", 4}, {"000000000051b050", 16}, {" ***\n", 5}], 5) = 80
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
gettid()                                = 7166
tgkill(7166, 7166, SIGABRT)             = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++

Reply via email to