Bug#700442: marked as done (ntop reliably segfaults in searchFragments)

Debian Bug Tracking System Fri, 01 Mar 2013 21:51:29 -0800

Your message dated Sat, 02 Mar 2013 05:47:37 +0000
with message-id <e1ubfih-0004bq...@franck.debian.org>
and subject line Bug#700442: fixed in ntop 3:4.99.3+ndpi5517+dfsg3-1
has caused the Debian Bug report #700442,
regarding ntop reliably segfaults in searchFragments
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
700442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ntop
Version: 3:4.99.3+ndpi5517+dfsg2-1
Severity: grave
Tags: security
Justification: looks like a buffer overflow
X-Debbugs-CC: deb...@cygnusnetworks.de

Running ntop under gdb. In most cases it segfaults within the first 10 seconds.

# gdb /usr/sbin/ntop 
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/ntop...Reading symbols from 
/usr/lib/debug/usr/sbin/ntop...done.
done.
(gdb) run -L -u ntop -P /var/lib/ntop 
--access-log-file=/var/log/ntop/access.log -i eth2 -p /etc/ntop/protocol.list 
-O /var/log/ntop -n 0
Starting program: /usr/sbin/ntop -L -u ntop -P /var/lib/ntop 
--access-log-file=/var/log/ntop/access.log -i eth2 -p /etc/ntop/protocol.list 
-O /var/log/ntop -n 0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Tue Feb 12 18:14:59 2013  Initializing gdbm databases
[New Thread 0x7fffef992700 (LWP 21289)]
[New Thread 0x7fffef191700 (LWP 21290)]
[New Thread 0x7fffee990700 (LWP 21291)]
[New Thread 0x7fffedb43700 (LWP 21292)]
[New Thread 0x7fffed342700 (LWP 21293)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffed342700 (LWP 21293)]
searchFragment (actualDeviceId=0, fragmentId=41168, dstHost=0x555555b22d90, 
srcHost=0x555555b20fc0) at ip.c:96
96      ip.c: No such file or directory.
(gdb) bt
#0  searchFragment (actualDeviceId=0, fragmentId=41168, dstHost=0x555555b22d90, 
srcHost=0x555555b20fc0) at ip.c:96
#1  handleFragment (srcHost=srcHost@entry=0x555555b20fc0, 
dstHost=dstHost@entry=0x555555b22d90, sport=sport@entry=0x7fffed33f8e6, 
dport=dport@entry=0x7fffed33f8e8, fragmentId=41168, off=8192, 
    packetLength=1510, dataLength=1472, actualDeviceId=0, h=0x7fffed341ca0, 
p=0x7fffed33fbd0 "") at ip.c:183
#2  0x00007ffff76e633e in processIpPkt (bp=0x7fffed33fbe2 "E", 
h=h@entry=0x7fffed341ca0, p=p@entry=0x7fffed33fbd0 "", ip_offset=18, 
length=length@entry=1510, 
    ether_src=0x7fff000005b8 <Address 0x7fff000005b8 out of bounds>, 
ether_src@entry=0x7fffed33fb26 "", ether_dst=0x7fff00002000 <Address 
0x7fff00002000 out of bounds>, ether_dst@entry=0x7fffed33fb20 "", 
    actualDeviceId=actualDeviceId@entry=0, vlanId=vlanId@entry=10) at ip.c:1068
#3  0x00007ffff76f4ad4 in processPacket (_deviceId=_deviceId@entry=0x0, 
h=h@entry=0x7fffed341ca0, p=p@entry=0x7fffed33fbd0 "") at pbuf.c:1447
#4  0x00007ffff76f64de in queuePacket (_deviceId=0x0, h=0x7fffed341ca0, 
p=0x7fffefd48042 "") at pbuf.c:548
#5  0x00007ffff7fbcfbe in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#6  0x00007ffff76eec13 in pcapDispatch (_i=0x0) at ntop.c:91
#7  0x00007ffff6256b50 in start_thread (arg=<optimized out>) at 
pthread_create.c:304
#8  0x00007ffff71e3a7d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()
(gdb) display *myGlobals.device->fragmentList
1: *myGlobals.device->fragmentList = {src = 0x0, dest = 0x1000000010, 
fragmentOrder = -16 '\360', fragmentId = 21845, lastOffset = 1473236608, 
lastDataLength = 21845, totalDataLength = 1473236288, 
  expectedDataLength = 21845, totalPacketLength = 81, sport = 0, dport = 0, 
firstSeen = 5750162749747989050, prev = 0x13b771766d43882f, next = 
0x35173cbb65b9e257}
(gdb) display *myGlobals.device->fragmentList->next
2: *myGlobals.device->fragmentList->next = <error: Cannot access memory at 
address 0x35173cbb65b9e257>
(gdb) display *myGlobals.device->fragmentList->prev
3: *myGlobals.device->fragmentList->prev = <error: Cannot access memory at 
address 0x13b771766d43882f>
(gdb) 

Apparently the fragmentList is corrupted. Since there is no pointer magic going 
on the only plausible cause for this is some kind of buffer overflow. Another 
time the next pointer would be 0x20 or 0x50. Yet another time it came to be 
0x696c00756e672d78 which by looks like "il\0ung-x" when interpreted as ascii. 
Surely this next pointer comes from the network.

Helmut

--- End Message ---

--- Begin Message ---

Source: ntop
Source-Version: 3:4.99.3+ndpi5517+dfsg3-1

We believe that the bug you reported is fixed in the latest version of
ntop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <cave...@debian.org> (supplier of updated ntop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Feb 2013 23:23:02 -0800
Source: ntop
Binary: ntop ntop-dbg ntop-data
Architecture: source amd64 all
Version: 3:4.99.3+ndpi5517+dfsg3-1
Distribution: unstable
Urgency: high
Maintainer: Ludovico Cavedon <cave...@debian.org>
Changed-By: Ludovico Cavedon <cave...@debian.org>
Description: 
 ntop       - display network usage in web browser
 ntop-data  - display network usage in a web browser (data files)
 ntop-dbg   - display network usage in web browser (debug symbols)
Closes: 695422 695424 700442
Changes: 
 ntop (3:4.99.3+ndpi5517+dfsg3-1) unstable; urgency=high
 .
   * Repackage source removing stale license notice from protocls.c
     (Closes: #695424).
   * Remove IP fragment handling code (Closes: #700442).
   * Disable OpenSSL (thanks to Giovanni Rapagnani, Closes: #695422).
Checksums-Sha1: 
 2bc0def20567c9264ba385e5d40f9eaac9215fd5 2182 ntop_4.99.3+ndpi5517+dfsg3-1.dsc
 2af79ea37355b0fb6bf0114c44f7898db2608f88 3675873 
ntop_4.99.3+ndpi5517+dfsg3.orig.tar.gz
 24106847bbc214b0bdff79b1972f73c32c425950 64603 
ntop_4.99.3+ndpi5517+dfsg3-1.debian.tar.gz
 3f64be21267bfd9c8e18d6433341d2e967bc7d7c 739536 
ntop_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 4faf7573a76a5e1a391a01374171aef52b2e9fbf 1272380 
ntop-dbg_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 33dbbbf49aba6d1bae641ea459ba77f2e1bb7a54 1625634 
ntop-data_4.99.3+ndpi5517+dfsg3-1_all.deb
Checksums-Sha256: 
 2e1d31a51ad93dfae2889c7f28726135a2875fc21ab7ed3b845e31dd6008be88 2182 
ntop_4.99.3+ndpi5517+dfsg3-1.dsc
 327d9669abdcd71d99941fe0d25a3994d022339e12425119b76e32d44d47856c 3675873 
ntop_4.99.3+ndpi5517+dfsg3.orig.tar.gz
 eb844898383d88de3420d0bcc3b561dafbcc943f684deb3473b368fc9d844184 64603 
ntop_4.99.3+ndpi5517+dfsg3-1.debian.tar.gz
 5a1e1c431abcd5cc51a9a996d4e50f3affaf29b6253034d80a348ff9773a8574 739536 
ntop_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 13c27832f963130721ca0bf6775952be83c5b9563927c26684f26feb9ad578ce 1272380 
ntop-dbg_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 2b09b1edfe629a95c234a4e5e435c18fcd579e58ca40352d75bac37a6bfabae2 1625634 
ntop-data_4.99.3+ndpi5517+dfsg3-1_all.deb
Files: 
 c90cfcf337379e4555c4714ae904e293 2182 net optional 
ntop_4.99.3+ndpi5517+dfsg3-1.dsc
 10b28b2c883ff983339040ff094a6aa7 3675873 net optional 
ntop_4.99.3+ndpi5517+dfsg3.orig.tar.gz
 bb2b94a2fb57b744f4a372cdaf8a0420 64603 net optional 
ntop_4.99.3+ndpi5517+dfsg3-1.debian.tar.gz
 22a4585ccb1c2cd34bcee8ade3c25730 739536 net optional 
ntop_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 1718f7391b9e3eeb90f205e5ed4b62ec 1272380 debug extra 
ntop-dbg_4.99.3+ndpi5517+dfsg3-1_amd64.deb
 50a91db63ee9702c8f9fb1f87ba55f4f 1625634 net optional 
ntop-data_4.99.3+ndpi5517+dfsg3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRMY3lAAoJEBPAtWZ6OLCwS7kP/Rg5evogAM9Bwm/tcLR4TGHc
7MuBbpGvpVIQ4gIPF7gpWmwQuhvDAXGPm7HKc4QbqO7tc/qUXNfnmxzokVNX9t/I
Wy0XlOxm56dXbrI/74PhtxZYrqJ77e0gImB+50hoGsvd6HI4t+sZf4709xBwevWK
3PaAvHJsTGceCH/tt+6CdVxqGSOURciNbg4BUpRrB0KnZwTzNMtchyZNK2WxgxGg
UOazTy45TWPx3qczepoqmF1N4XgRzHAt+TQp0MApUQIHOfWpMvdXrWjtSs7r7Cfl
W4S5XS6W2yLXIakss01t6RYjtT61TLeXCmIYdE6+cxbt39RSJnCLKfBWxAsLXRcC
BhNbBcbp44nU1qeiiWnY4Deq05ZcsRZ+FRpifPOM2mDRZ7FhoH5Gnv+wmp51GiOZ
U/sEcrusAvnTyhDXz5REMh2KBLvC0FdunaPMOSJHFRt3etyot+sssqOnNARbMyTH
76y9YYtqQdbrdFBAr2iAebivJ+Q835tVVLtklMsokQCM/mZ4KQz4Vs3174YCvkcv
FD7zRpjtcY5Rjz6GkDAGKq3yzGYSPAd9nRigXshh+izYqOlIjb5bxfH0HMkyVqMj
uOTvjBLmWTbmbH+xBlD3OQ6lZYR1sLQbmh1wj5XzO8rb8js8Lq/UoNweMeaYS2wd
KEAWsEVIpsE/H74ud61g
=2rt5
-----END PGP SIGNATURE-----

--- End Message ---

Bug#700442: marked as done (ntop reliably segfaults in searchFragments)

Reply via email to