Re: [Nfdump-discuss] how to crash nfdump

Sat, 14 Apr 2012 23:29:18 -0700 

Thanks for the notification. The crash results from giving twice the -A 
argument which nfdump was not supposed to get.
Find appended a patch, which solves this. nfdump now accepts one or more -A 
arguments.
Although it's a memory corruption, I'm not sure how easy this could be 
exploited, as no user arguments directly are
copied into the corrupted memory. Anyway, it's fixed.

Thanks

        - Peter


On 13/4/12 4:16 AM, Felipe Garcia wrote:
> could be used to create an exploit.. [?] this is a redhat 6.1 box.
> 
> /usr/local/bin/nfdump -A srcip -N -f /data/etc/srcfilter -A dstip -N -f
> /data/etc/dstfilter  -q -o fmt:S,%sa,%byt,%pkt,%fl
> -Rft-IC02RTR001-ipbill0201-2012-04-11.1815+1000.txt:ft-IC02RTR001-ipbill0201-2012-04-11.1845+1000.txt
> *** glibc detected *** /usr/local/bin/nfdump: free(): invalid next size
> (fast): 0x0000000000754270 ***
> ======= Backtrace: =========
> /lib64/libc.so.6[0x3e728750c6]
> /usr/local/bin/nfdump[0x415873]
> /usr/local/bin/nfdump[0x402711]
> /lib64/libc.so.6(__libc_start_main+0xfd)[0x3e7281ecdd]
> /usr/local/bin/nfdump[0x401d79]
> ======= Memory map: ========
> 00400000-0042c000 r-xp 00000000 fd:00 542091
> /usr/local/bin/nfdump
> 0062b000-0062f000 rw-p 0002b000 fd:00 542091
> /usr/local/bin/nfdump
> 0062f000-00775000 rw-p 00000000 00:00 0
> [heap]
> 3d59c00000-3d59c16000 r-xp 00000000 fd:00 663737
> /lib64/libgcc_s-4.4.6-20110824.so.1
> 3d59c16000-3d59e15000 ---p 00016000 fd:00 663737
> /lib64/libgcc_s-4.4.6-20110824.so.1
> 3d59e15000-3d59e16000 rw-p 00015000 fd:00 663737
> /lib64/libgcc_s-4.4.6-20110824.so.1
> 3e72400000-3e72420000 r-xp 00000000 fd:00 654531
> /lib64/ld-2.12.so
> 3e7261f000-3e72620000 r--p 0001f000 fd:00 654531
> /lib64/ld-2.12.so
> 3e72620000-3e72621000 rw-p 00020000 fd:00 654531
> /lib64/ld-2.12.so
> 3e72621000-3e72622000 rw-p 00000000 00:00 0
> 3e72800000-3e72997000 r-xp 00000000 fd:00 654535
> /lib64/libc-2.12.so
> 3e72997000-3e72b97000 ---p 00197000 fd:00 654535
> /lib64/libc-2.12.so
> 3e72b97000-3e72b9b000 r--p 00197000 fd:00 654535
> /lib64/libc-2.12.so
> 3e72b9b000-3e72b9c000 rw-p 0019b000 fd:00 654535
> /lib64/libc-2.12.so
> 3e72b9c000-3e72ba1000 rw-p 00000000 00:00 0
> 3e75000000-3e75016000 r-xp 00000000 fd:00 661916
> /lib64/libresolv-2.12.so
> 3e75016000-3e75216000 ---p 00016000 fd:00 661916
> /lib64/libresolv-2.12.so
> 3e75216000-3e75217000 r--p 00016000 fd:00 661916
> /lib64/libresolv-2.12.so
> 3e75217000-3e75218000 rw-p 00017000 fd:00 661916
> /lib64/libresolv-2.12.so
> 3e75218000-3e7521a000 rw-p 00000000 00:00 0
> 7fc73f6bd000-7fc73f6c0000 rw-p 00000000 00:00 0
> 7fc73f6c7000-7fc73f6c9000 rw-p 00000000 00:00 0
> 7fff6e3e3000-7fff6e3f8000 rw-p 00000000 00:00 0
> [stack]
> 7fff6e3ff000-7fff6e400000 r-xp 00000000 00:00 0
> [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
> [vsyscall]
> Aborted (core dumped)
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> 
> 
> 
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

--- nflowcache.c.orig   2012-04-15 08:23:00.000000000 +0200
+++ nflowcache.c        2012-04-15 08:23:35.000000000 +0200
@@ -637,18 +637,22 @@
        fmt_len = 0;
        i = 0;
        while ( aggregate_info[i].aggregate_token != NULL ) {
+               if ( aggregate_info[i].active )
+                       stack_count++;
                if ( aggregate_info[i].fmt )
                        fmt_len += ( strlen(aggregate_info[i].fmt) + 1 );
                i++;
        }
        fmt_len++;      // trailing '\0'
 
-       *aggr_fmt = malloc(fmt_len);
+       if ( !*aggr_fmt ) {
+               *aggr_fmt = malloc(fmt_len);
+               (*aggr_fmt)[0] = '\0';
+       }
        if ( !*aggr_fmt ) {
                fprintf(stderr, "malloc() error in %s line %d: %s\n", __FILE__, 
__LINE__, strerror (errno));
                return 0;
        }
-       (*aggr_fmt)[0] = '\0';
 
 
        FlowTable.apply_netbits  = 0;
@@ -712,7 +716,9 @@
                while ( a->aggregate_token && (strcasecmp(p, a->aggregate_token 
) != 0) )
                        a++;
 
-               if ( a->aggregate_token != NULL ) {
+               if ( a->active ) {
+                       fprintf(stderr, "Skip already given aggregation mask: 
%s\n", p);
+               } else if ( a->aggregate_token != NULL ) {
 
                        if ( a->fmt != NULL ) {
                                strncat(*aggr_fmt, a->fmt, fmt_len);

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to