Reason && workaround for cflowds (others?) core dump.

From: Nicholas L. Nigay (nnigay@cboss.ru)
Date: Mon Nov 19 2001 - 01:06:00 PST

  • Next message: Martin van den Nieuwelaar: "Here is a useful document explaining Netflow Exports"

    Hello !

    There is format string bug inside CflowdCisco.cc:ClearTableData(),
    which causes cflowd to coredump on 32-bit hosts
    ( may be on 64-bit hosts too ).

             syslog(LOG_INFO,
                    "[I] missed %u of %u flows from %s"
                    " engine %d agg_method %d (%g%% loss)",
                    (*engineIter).second.MissedFlows(aggMethod),
                    totalFlows,
                    inet_ntoa(addrIn),
                    (*engineIter).first,
                    aggMethod,
                    ((*engineIter).second.MissedFlows(aggMethod) * 100.0) /
                    totalFlows);

    Description:
    ------------
    Variable TotalFlows (which type is uint64) is sysloged
    with %u ( instead of %llu ). Thus syslog()s argument parser takes
    only first 32 bits of TotalFlows. Hence last 32 bits of TotalFlows
    is incorrectly considered as pointer to string that should be syslog()ed
    with %s format ( instead of result of inet_ntoa(addrIn). The following
    is trivial: strlen() tries to access to memory with 0 address ( on
    little-endian systems ) causing Segmentation Fault etc....

    Workaround:
    -----------
    Instead of
      "[I] missed %u of %u flows from %s"
    should be
      "[I] missed %u of %llu flows from %s"

    Warning:
    --------
    Suggested workaround may be incorrect for 64-bit platforms
    since argument parser might take all 64 bits of TotalFlows for %u
    in syslog() above.

    -- 
    Good luck!
    Nicholas L. Nigay
    

    -- cflowd mailing list cflowd@caida.org



    This archive was generated by hypermail 2b29 : Mon Nov 19 2001 - 01:21:41 PST