Bro Seg Faults on DNS Failure at Startup

[mej@…]

On Linux, and in an environment with very slow DNS (i.e., the Bro Workshop (-;), Bro seg faults reliably on startup due to root server lookup failures in the drop.bro script.

mej@caos ~/bro_class/lab6 >> gdb bro -r irc-2.pcap ./myirc2.bro
Excess command line arguments ignored. (./myirc2.bro)
GNU gdb Caos NSA 1.x
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later < http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-caos-linux-gnu"...
(no debugging symbols found)
"/macbook/bro_class/lab6/irc-2.pcap" is not a core dump: File format not recognized
(gdb) run -r irc-2.pcap ./myirc2.bro
Starting program: /usr/bin/bro -r irc-2.pcap ./myirc2.bro
/usr/share/bro/drop.bro, line 67: warning: no such host: b.root-servers.net

Program received signal SIGSEGV, Segmentation fault.
0xb7c92393 in strlen () from /lib/libc.so.6
(gdb) bt
#0 0xb7c92393 in strlen () from /lib/libc.so.6
#1 0x080512e1 in copy_string ()
#2 0x0808ed5f in DNS_Mapping::DNS_Mapping ()
#3 0x080917f8 in DNS_Mgr::AddResult? ()
#4 0x080925a7 in DNS_Mgr::Resolve ()
#5 0x08092951 in DNS_Mgr::LookupHost? ()
#6 0x0805ee0b in brolex ()
#7 0x0805327e in yyparse ()
#8 0x0804f11d in main ()

If you need a backtrace with debugging symbols, let me know. I can rebuild if necessary. :-)

[mej]

Another piece of data:

The value being passed is (unfortunately) not NULL: copy_string(0xc94fe4c0)
Looks like a junk pointer.

[mej]

New improved backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xb7c71393 in strlen () from /lib/libc.so.6
Current language: auto; currently c
(gdb) bt
#0 0xb7c71393 in strlen () from /lib/libc.so.6
#1 0x08053a35 in copy_string (s=0x119424c0 <Address 0x119424c0 out of bounds>) at ./util.cc:44
#2 0x080a4add in DNS_Mapping (this=0x8476dc8, host=0x119424c0 <Address 0x119424c0 out of bounds>, h=0x8358d20) at DNS_Mgr.cc:154
#3 0x080a5e2d in DNS_Mgr::AddResult? (this=0x8358b60, dr=0x8476da0, r=0xbf92470c) at DNS_Mgr.cc:680
#4 0x080a7060 in DNS_Mgr::Resolve (this=0x8358b60) at DNS_Mgr.cc:584
#5 0x080a7694 in DNS_Mgr::LookupHost? (this=0x8358b60, name=0x846e6b6 "j.root-servers.net") at DNS_Mgr.cc:468
#6 0x08062012 in brolex () at ./scan.l:313
#7 0x080559d0 in yyparse () at /usr/share/bison.simple:432
#8 0x0804f991 in main (argc=4, argv=0xbf929644) at main.cc:734

(gdb) bt full
#0 0xb7c71393 in strlen () from /lib/libc.so.6
No symbol table info available.
#1 0x08053a35 in copy_string (s=0x119424c0 <Address 0x119424c0 out of bounds>) at ./util.cc:44

c = 0x119424c0 <Address 0x119424c0 out of bounds>

#2 0x080a4add in DNS_Mapping (this=0x8476dc8, host=0x119424c0 <Address 0x119424c0 out of bounds>, h=0x8358d20) at DNS_Mgr.cc:154
No locals.
#3 0x080a5e2d in DNS_Mgr::AddResult? (this=0x8358b60, dr=0x8476da0, r=0xbf92470c) at DNS_Mgr.cc:680

h = (hostent *) 0x8358d20
new_dm = (DNS_Mapping *) 0x35000002
prev_dm = (DNS_Mapping *) 0x2afa8c0
keep_prev = 0

#4 0x080a7060 in DNS_Mgr::Resolve (this=0x8358b60) at DNS_Mgr.cc:584

dr = (DNS_Mgr_Request *) 0x8476da0
status = 1
err = "Ÿ#\001\000\004\000\000\000\030|G\b0{G\bhxG\b >G\b‡‡\004\bhF\222ø\001\000\000\000\000\000\000\000∞mG\bpA÷∑pA÷∑\000\000\000\000 >G\b(\000\000\000\003\000\000\000\020|G\b'y”∑ƒ\206”∑‘i”∑\002i”∑\000|G\bÙ/÷∑\023\000\000\000\023\000\000\000\230F\222ø
ÿ∆∑@A÷∑\023\000\000\000@A÷∑»F\222øÙ?Á∑\023\000\000\000‡‡\004\b»F\222øµJ‰∑\023\000\000\000\2262\233\npA÷∑\232J‰∑\000\000\000\000\b\000\000\000 \000\000\000Ù?Á∑ >G\b‡‡\004\bËF\222ø€K‰∑\023\000\000\000"...
r = {cookie = 0x8476da0, host_errno = 0, hostent = 0x8358d20}
i = 1
first_req = 0
num_pending = 1
last_req = 0

#5 0x080a7694 in DNS_Mgr::LookupHost? (this=0x8358b60, name=0x846e6b6 "j.root-servers.net") at DNS_Mgr.cc:468
No locals.

I'm still digging into this. Hopefully I'll have more to submit later today.