Project

General

Profile

Bug #100

"Random" segfaults in prelude-lml 0.9.0

Added by over 13 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

Running Prelude 0.9.0 on [[CentOS]] 3.5 (kernel 2.4.21, glibc 2.3.2), also with following supplimental packages:
pcre-5.0-4
gnutls-1.0.25
opencdk-0.5.4
libgcrypt-1.2.1

Getting occasional segmentation faults. A typical log entry looks like the following (however, this does not happen on /all/ such entries):

Sep 23 09:44:53 web01 sshdr15291: Accepted publickey for asparks from 216.150.62.80 port 34121 ssh2

(gdb) bt
#0  0x00640213 in prelude_string_set_dup (string=0x99680a8, buf=0x0)
    at prelude-string.c:412
#1  0x0804f23f in fill_target (node=0x9967700, ai=0x9968000) at
lml-alert.c:114
#2  0x0804f60c in generate_target (log_entry=0x9965760, alert=0x9954720)
    at lml-alert.c:252
#3  0x0804f790 in lml_alert_emit (ls=0x98db248, log=0x9965760,
    message=0x99681c0) at lml-alert.c:310
#4  0x00f03867 in match_rule_list (rc=0x9939010, state=0xbfffa3f0,
    ls=0x98db248, log_entry=0x9965760, match_flags=0xbfffa3b8)
    at rule-regex.c:227
#5  0x00f037a5 in match_rule_list (rc=0x9938080, state=0xbfffa3f0,
    ls=0x98db248, log_entry=0x9965760, match_flags=0xbfffa438)
    at rule-regex.c:197
#6  0x00f03909 in rule_regex_match (root=0x9938080, ls=0x98db248,
    log_entry=0x9965760, match_flags=0xbfffa438) at rule-regex.c:249
#7  0x00f024ea in pcre_run (pi=0x98dbe20, ls=0x98db248, log_entry=0x9965760)
    at pcre-mod.c:650
#8  0x0804d1c5 in log_plugin_run (pi=0x98dbe20, ls=0x98db248, log=0x9965760)
    at log-plugins.c:75
#9  0x0804bd52 in regex_match_cb (plugin=0x98dbe20, data=0x0)
    at prelude-lml.c:171
#10 0x0804c99d in regex_exec (list=0x98daf70, cb=0x804bd3c <regex_match_cb>,
    data=0xbfffa5d0,
    str=0x99677e0 "Sep 23 09:44:53 web01 sshdr15291: Accepted publickey
for asparks from 216.150.62.80 port 34121 ssh2", len=101) at
regex.c:281
#11 0x0804bde6 in lml_dispatch_log (list=0x98daf70, ls=0x98db248,
    str=0x98db8c0 "Sep 23 09:44:53 web01 sshdr15291: Accepted publickey
for asparks from 216.150.62.80 port 34121 ssh2", size=101) at
prelude-lml.c:205
#12 0x0804e9a4 in check_logfile_data (monitor=0x98db898, st=0xbfffa650)
    at file-server.c:544
#13 0x0804f02a in process_file_event (monitor=0x98db898) at
file-server.c:1053
#14 0x0804f0c5 in file_server_wake_up () at file-server.c:1104
#15 0x0804c10a in main (argc=1, argv=0x6) at prelude-lml.c:323

Looks like under some cases, the ai_canonname field is NULL, do not know the circumstances when this can happen:

(gdb) print *ai
$4 = {ai_flags = 2, ai_family = 2, ai_socktype = 1, ai_protocol = 6,
  ai_addrlen = 16, ai_addr = 0x9968020, ai_canonname = 0x0,
  ai_next = 0x9968038}

History

#1 Updated by Yoann VANDOORSELAERE over 13 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Fixed in r7318. Thanks!

#2 Updated by Yoann VANDOORSELAERE almost 10 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (0.9.1)

Also available in: Atom PDF