ndpiReader crash while analyzing Server Hello

[Ravi-t]

ndpiReader crashed on encountering Server Hello packet, I have attached the coredump and trace file.
The bt is as follows:

gdb ndpiReader corelive.57873
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /root/nDPI-8/nDPI/example/ndpiReader...done.
[New LWP 57874]
[New LWP 57873]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./ndpiReader -i eno16777736'.
Program terminated with signal 11, Segmentation fault.
#0 ssl_mark_and_payload_search_for_other_protocols (ndpi_struct=0x21942b0, flow=0x7fc5a4071c00) at protocols/ssl.c:381
381 if(packet->payload[a] == 't') {
(gdb) p a
$1 = 2458
(gdb) bt
#0 ssl_mark_and_payload_search_for_other_protocols (ndpi_struct=0x21942b0, flow=0x7fc5a4071c00) at protocols/ssl.c:381
#1 0x0000000000412456 in check_ndpi_tcp_flow_func (ndpi_struct=ndpi_struct@entry=0x21942b0, flow=flow@entry=0x7fc5a4071c00,
ndpi_selection_packet=ndpi_selection_packet@entry=0x7fc5ac4068d8) at ndpi_main.c:3274
#2 0x000000000041247f in check_ndpi_flow_func (ndpi_struct=ndpi_struct@entry=0x21942b0, flow=flow@entry=0x7fc5a4071c00,
ndpi_selection_packet=ndpi_selection_packet@entry=0x7fc5ac4068d8) at ndpi_main.c:3332
#3 0x000000000041278e in ndpi_detection_process_packet (ndpi_struct=0x21942b0, flow=0x7fc5a4071c00, packet=, packetlen=, current_tick_l=,
src=0x7fc5a404ff20, dst=0x7fc5a4060f00) at ndpi_main.c:3515
#4 0x0000000000406b1a in packet_processing (workflow=0x24177e0, time=1492621588791, vlan_id=0, iph=0x7fc5a407863e, iph6=0x0, ip_offset=14, ipsize=2960, rawsize=2974)
at ndpi_util.c:556
#5 0x0000000000407774 in ndpi_workflow_process_packet (workflow=0x24177e0, header=0x7fc5ac406bb0, packet=0x7fc5a4078630 "") at ndpi_util.c:913
#6 0x0000000000404825 in pcap_packet_callback_checked (args=0x7fc5ac406ccc "", header=0x7fc5ac406bb0, packet=0x7fc5ac5a5046 <Address 0x7fc5ac5a5046 out of bounds>)
at ndpiReader.c:1343
#7 0x00007fc5acc7599e in pcap_handle_packet_mmap (handle=handle@entry=0x2191070, callback=callback@entry=0x4047a2 <pcap_packet_callback_checked>, user=user@entry=0x7fc5ac406ccc "",
frame=frame@entry=0x7fc5ac5a5000 <Address 0x7fc5ac5a5000 out of bounds>, tp_len=, tp_mac=, tp_snaplen=1546, tp_sec=1492621588, tp_usec=791473,
tp_vlan_tci_valid=0, tp_vlan_tci=0) at ./pcap-linux.c:4361
#8 0x00007fc5acc79ae1 in pcap_read_linux_mmap_v2 (handle=0x2191070, max_packets=-1, callback=0x4047a2 <pcap_packet_callback_checked>, user=0x7fc5ac406ccc "") at ./pcap-linux.c:4463
#9 0x00007fc5acc7e19d in pcap_loop (p=0x2191070, cnt=-1, callback=0x4047a2 <pcap_packet_callback_checked>, user=0x7fc5ac406ccc "") at ./pcap.c:862
#10 0x0000000000404e68 in runPcapLoop (thread_id=0) at ndpiReader.c:1424
#11 0x0000000000404fbc in processing_thread (_thread_id=0x0) at ndpiReader.c:1452
#12 0x00007fc5aca58dc5 in start_thread (arg=0x7fc5ac407700) at pthread_create.c:308
#13 0x00007fc5ac78628d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Regards,
Ravi
crash.zip

[kYroL01]

I checked now and the issue seems to be solved.
Reopen in case u have problems.
Thanks

[Ravi-t]

Have you done any new fix? With the fix that I provided earlier for fragmented packets this issue is not resolved. The core and traces that I attached earlier are on the binary including my fixes so it seems to be some other issue which is still pending. Please check.

Thanks,
Ravi

[kYroL01]

I'll check better, but I tested your pcap and ndpiReader does not crash for me.
Going to see deeply. For now I reopen the issue

[kYroL01]

@Ravi-t i missed the part

With the fix that I provided earlier for fragmented packets this issue is not resolved

nDPI don't process fragmented packet: when a pkt is recognized to be fragmented, it's discarded.

[Ravi-t]

Yes, I agree for fragmented packets we just discard it in function packet_processing. But this crash was not for a fragmented packet, I got a core dump when DPI was processing a Server Hello packet which I got when I was analyzing the live traffic on my server interface.

[kYroL01]

Can u please pass me the pcap that cause the SIGFAULT ? I saw the coredump but I need to see the pkts.
Thanks

[kYroL01]

@Ravi-t any update ?

[Ravi-t]

Both crash and pcap files are already present in the crash.zip file that I uploaded while opening the issue.

Thanks

[Ravi-t]

Attaching it again

Thanks
crash.zip

[kYroL01]

this is the trace from your core:

and this the result passing your pcap to my ndpiReader (from last dev repo):

1. the trace seems to be different from the one you passed me (the SIGFAULT is from http and not from ssl
2. I have no issue with that pcap, as u can notice from the screenshot.

Regards

[Ravi-t]

Thanks for the information, let me check if I shared the correct pcap which was resulting in crash, I will test again.

[kYroL01]

Perfect.
Also check if the issue has been solved.

[Ravi-t]

Sure...I will test and update you in few days.

Thanks

[kYroL01]

@Ravi-t any news ? Thanks

[Ravi-t]

I got the crash again. Backtrace is as follows, I have attached the pcap and coredump. Thanks

core.4203.zip
crashTraces.zip

Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./ndpiReader -i eno16777736'.
Program terminated with signal 11, Segmentation fault.
#0 0x0806b0bb in ndpi_search_fasttrack_tcp (ndpi_struct=0x933ecf0,
flow=0xf6955d38) at protocols/fasttrack.c:45
45 if (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) {
(gdb) bt
#0 0x0806b0bb in ndpi_search_fasttrack_tcp (ndpi_struct=0x933ecf0,
flow=0xf6955d38) at protocols/fasttrack.c:45
#1 0x0805d7fa in check_ndpi_tcp_flow_func (ndpi_struct=0x933ecf0,
flow=0xf6955d38, ndpi_selection_packet=0xf7244e7c) at ndpi_main.c:3286
#2 0x0805dc57 in check_ndpi_flow_func (ndpi_struct=0x933ecf0,
flow=0xf6955d38, ndpi_selection_packet=0xf7244e7c) at ndpi_main.c:3332
#3 0x0805e2be in ndpi_detection_process_packet (ndpi_struct=0x933ecf0,
flow=0xf6955d38, packet=0xf698879e "E", packetlen=2220,
current_tick_l=1496146965268, src=0xf6956240, dst=0xf6956338)
at ndpi_main.c:3515
#4 0x0804de47 in packet_processing (workflow=0x9490210, time=1496146965268,
vlan_id=0, iph=0xf698879e, iph6=0x0, ip_offset=14, ipsize=2220,
rawsize=2234) at ndpi_util.c:556
#5 0x0804e955 in ndpi_workflow_process_packet (workflow=0x9490210,
header=0xf72450ac, packet=0xf6988790 "") at ndpi_util.c:913
#6 0x0804be84 in pcap_packet_callback_checked (args=0xf724516c "",
header=0xf72450ac, packet=0xf7393696 <Address 0xf7393696 out of bounds>)
at ndpiReader.c:1343
#7 0xf76aed4c in pcap_handle_packet_mmap () from /lib/libpcap.so.1
#8 0xf76b3435 in pcap_read_linux_mmap_v2 () from /lib/libpcap.so.1
#9 0xf76b810d in pcap_loop () from /lib/libpcap.so.1
#10 0x0804c372 in runPcapLoop (thread_id=0) at ndpiReader.c:1424
#11 0x0804c4ab in processing_thread (_thread_id=0x0) at ndpiReader.c:1452
---Type to continue, or q to quit---
#12 0xf7694b2c in start_thread () from /lib/libpthread.so.0
#13 0xf75c708e in clone () from /lib/libc.so.6