On Wed, Nov 27, 2013 at 12:23 PM, Darin Perusich <da...@darins.net> wrote: > On Wed, Nov 27, 2013 at 12:22 PM, Darin Perusich <da...@darins.net> wrote: >> -- >> Later, >> Darin >> >> >> On Wed, Nov 27, 2013 at 12:11 PM, dan (ddp) <ddp...@gmail.com> wrote: >>> On Wed, Nov 27, 2013 at 11:41 AM, Darin Perusich <da...@darins.net> wrote: >>>> On Tue, Nov 26, 2013 at 2:15 PM, Darin Perusich <da...@darins.net> wrote: >>>>> On Tue, Nov 26, 2013 at 12:59 PM, dan (ddp) <ddp...@gmail.com> wrote: >>>>>> On Tue, Nov 26, 2013 at 12:57 PM, Darin Perusich <da...@darins.net> >>>>>> wrote: >>>>>>> This "fixed" remoted. What's so special about this included zlib, >>>>>>> other then being 8.5 years old and getting ever more unmaintained? I >>>>>>> haven't had a chance to diff it against upstream yet. >>>>>>> >>>>>> >>>>>> I don't know actually. I remember the Debian folks mentioning >>>>>> differences and possibly trying to push some upstream. >>>>>> >>>>> >>>>> Looks I spoke to soon, I'm still getting the segfault with >>>>> ossec-remoted built against the provided zlib. This is giving me a bit >>>>> of a headache. Let me keep poking around and see if I can come up with >>>>> anything else. >>>> >>>> Ok, so I'm looking at this again and ossec-remoted is built with the >>>> provided zlib and it's still segfaulting. What other info can I >>>> provide to keep this moving, any additional gdb output, valgrind, >>>> building w/specify debug flags (other then -g)? >>>> >>> >>> Is the trace in gdb the same? >>> >> >> It is but's here's the output again. >> >> # gdb /var/ossec/bin/ossec-remoted >> GNU gdb (GDB) SUSE (7.5.1-2.1.1) >> Copyright (C) 2012 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-suse-linux". >> For bug reporting instructions, please see: >> <http://www.gnu.org/software/gdb/bugs/>... >> Reading symbols from /var/ossec/bin/ossec-remoted...done. >> (gdb) set follow-fork-mode child >> (gdb) run -d >> Starting program: /var/ossec/bin/ossec-remoted -d >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> 2013/11/27 12:21:22 ossec-remoted: DEBUG: Starting ... >> [New process 3486] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 3487] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New process 3488] >> [Thread debugging using libthread_db enabled] >> Using host libthread_db library "/lib64/libthread_db.so.1". >> [New Thread 0x7ffff6fd8700 (LWP 3489)] >> [New Thread 0x7ffff67d7700 (LWP 3490)] >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x7ffff7fdf700 (LWP 3488)] >> 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at msgs.c:89 >> warning: Source file is more recent than executable. >> 89 if((keys->keyentries[i -1]->fp) && (i > 10)) >> (gdb) where >> #0 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at msgs.c:89 >> #1 0x0000000000404845 in HandleSecure () at secure.c:85 >> #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at remoted.c:102 >> #3 0x0000000000403234 in main (argc=2, argv=0x7fffffffe1d8) at main.c:151 >> (gdb) list >> 84 if(!keys->keyentries[i]->fp) >> 85 { >> 86 int my_error = errno; >> 87 >> 88 /* Just in case we run out of file descriptiors */ >> 89 if((keys->keyentries[i -1]->fp) && (i > 10)) >> 90 { >> 91 fclose(keys->keyentries[i -1]->fp); >> 92 >> 93 if(keys->keyentries[i -2]->fp) > > > (gdb) bt full > #0 0x0000000000424726 in OS_StartCounter (keys=0x6525a0 <keys>) at msgs.c:89 > my_error = 13 > i = 0 > rids_file = > "/queue/rids/001\000\000\256\377\377\377\177\000\000\022*\226R\000\000\000\000\340\347\273\367\377\177\000\000\300\325e\000\000\000\000\000\260\256\377\377\377\177\000\000!tB", > '\000' <repeats 13 times>, "BLC", '\000' <repeats 13 times>, > "\020\000\000\000\060\000\000\000\300\256\377\377\377\177\000\000\000\256\377\377\377\177\000\000\000\000\000\000\000\000\000\000@KC\000\000\000\000\000H\000\000\000\000\000\000\000@\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\005", > '\000' <repeats 88 times>"\256, > \377\377\377\177\000\000צ\377\377\377\177\000\000" > #1 0x0000000000404845 in HandleSecure () at secure.c:85 > agentid = 0 > buffer = '\000' <repeats 1928 times>, > "\002\030\336\367\377\177", '\000' <repeats 67 times>"\300, > \000\000\000\000\000\000\254\260\000\000\000\000\000\000\254\260", > '\000' <repeats 14 times>, "\005\000\000\000\000\000\000\000\000\260 > \000\000\000\000\000\000\320 \000\000\000\000\000\030\303 > \000\000\000\000\000H\307 > \000\000\000\000\000\000\260\000\000\000\000\000\000\003", '\000' > <repeats 31 times>"\320, \004", '\000' <repeats 14 times>, "P", '\000' > <repeats 39 times>, > "\003\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", > '\000' <repeats 11 times>, > "@\226\273\367\377\177\000\000\031\000\000\000\000\000\000\000\320ie\000\000\000\000\000\020ee\000\000\000\000\000\031", > '\000' <repeats 15 times>, > "3\366\210\367\377\177\000\000\320ie\000\000\000\000\000\000"... > cleartext_msg = '\000' <repeats 5264 times>, "@", '\000' > <repeats 35 times>, > "\001\000\000\000\002\000\000\000\060\000\000\000[\000\000\000n\000\000\000w\000\000\000|", > '\000' <repeats 11 times>, > "@\226\273\367\377\177\000\000\200\305\377\377\377\177\000\000PKe\000\000\000\000\000\200\305\377\377\377\177\000\000\220)@\000\000\000\000\000PKe\000\000\000\000\000Ȉ\210\367\377\177\000\000\000\000\000\000\000\000\000\000PKe\000\000\000\000\000\200\305\377\377\377\177\000\000\376\226\210\367\377\177\000\000PKe\000\000\000\000\000WK\210\367\377\177\000\000\000\000\000\000\000\000\000\000\034\370B\000\000\000\000\000\000\000\000\000\003\000\000\000PKe\000\000\000\000\000PKe\000\000\000\000\000\000\000\000\000\377\377\377\377\000\336\377\377\377\177\000\000\205\002C", > '\000' <repeats 13 times>, > "0\337\377\377\377\177\000\000\000\000\000\000\000\000\000\000P"... > srcip = '\000' <repeats 16 times> > tmp_msg = 0x6f <Address 0x6f out of bounds> > srcmsg = '\000' <repeats 256 times> > recv_b = 32767 > peer_info = {sin_family = 0, sin_port = 0, sin_addr = {s_addr > = 0}, sin_zero = "\000\000\000\000\000\000\000"} > peer_size = 0 > #2 0x0000000000404708 in HandleRemote (position=0, uid=493) at remoted.c:102 > No locals. > #3 0x0000000000403234 in main (argc=2, argv=0x7fffffffe1d8) at main.c:151 > i = 0 > c = -1 > uid = 493 > gid = 494 > test_config = 0 > run_foreground = 0 > cfg = 0x433fe0 "/var/ossec/etc/ossec.conf" > dir = 0x433ffa "/var/ossec" > user = 0x434005 "ossecr" > group = 0x43400c "ossec" > (gdb)
So we've figured this out, and it can be chalked up a bug in the error handling of the code. The owner of /var/ossec/queue/rids was user "ossec" and not "ossecr", this was causing the segfault, and instead of giving a permission denied error or something to that effect. a patch will be forth coming -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.