You didn't use a -g binary as I suggested, then gdb will show more. Peter J. Philipp <p...@delphinusdns.org> wrote:
> On Mon, May 03, 2021 at 08:27:57AM -0600, Theo de Raadt wrote: > > Can you reproduce this, and capture core files? > > Yes after a reboot I could reproduce it, I didn't even have to cycle the > interfaces. I got a coredump like you descriped for me. See below: > > > Since our tcpdump is a privsep program, getting a core is a bit harder. > > > > mkdir /var/crash/tcpdump > > echo kern.nosuidcoredump=3 >> /etc/sysctl.conf > > reboot > > > > You could recompile tcpdump with -g or -ggdb, to gain better symbols. > > > > If you manage to create a coredump, run gdb against the unstripped > > binary (src/usr.sbin/tcpdump/obj/tcpdump) and let's see what the trace is. > > Loaded symbols for /usr/libexec/ld.so > #0 0x00000032fd8d2f74 in wg_print () from /usr/sbin/tcpdump > (gdb) bt > #0 0x00000032fd8d2f74 in wg_print () from /usr/sbin/tcpdump > #1 0x00000032fd891880 in udp_print () from /usr/sbin/tcpdump > #2 0x00000032fd88d5f8 in ip_print () from /usr/sbin/tcpdump > #3 0x00000032fd88c4f8 in ether_encap_print () from /usr/sbin/tcpdump > #4 0x00000032fd88bf10 in ether_tryprint () from /usr/sbin/tcpdump > #5 0x00000032fd88bcc4 in ether_if_print () from /usr/sbin/tcpdump > #6 0x0000003766337f98 in pcap_read (p=0x37aa410e00, cnt=-1, > callback=0x32fd88bc40 <ether_if_print>, user=0x0) > at /usr/src/lib/libpcap/pcap-bpf.c:188 > #7 0x00000037663359d4 in pcap_loop (p=0x37aa410e00, cnt=-1, > callback=0x32fd88bc40 <ether_if_print>, user=0x0) > at /usr/src/lib/libpcap/pcap.c:76 > #8 0x00000032fd8818e8 in main () from /usr/sbin/tcpdump > > It looks like it's in wg_print() I looked at this, but was unable to find > a solution. Perhaps memcpy'ing bp in wg_print() to another aligned buffer > and then trying to get the values out of it. I spent days fixing my programs > on octeon similar to that, but I used an unpack8, unpack16, unpack32, unpack64 > and unpack() to do so, which in the latter case memcpy'd. I know too little > though of how tcpdump is best worked with, just writing memcpy's in there is > probably not a good idea. > > Best Regards, > -peter
