Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 May 2011 21:53:57 GMT
From:      Peter Losher <plosher@isc.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/157188: libpcap 
Message-ID:  <201105192153.p4JLrvtH004172@red.freebsd.org>
Resent-Message-ID: <201105192200.p4JM0RG7079544@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         157188
>Category:       misc
>Synopsis:       libpcap
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 19 22:00:27 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Peter Losher
>Release:        8.2-RELEASE
>Organization:
Internet Systems Consortium
>Environment:
FreeBSD freebsd8.lab.isc.org 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
One of our engineers @ISC discovered that there is a bug in the currently released version of libpcap (in base and in ports) that can be triggered when using an "ip6 protochain" filter.  It's due to the fairly complicated BPF bytecode that libpcap generates for IPv6 header chasing combined with a sign extension bug when processing JA (jump absolute) opcodes.  (JA is used to go backwards and without sign extension on 64 bit platforms the BPF interpreter incorrectly jumps forward... a lot.)

>How-To-Repeat:
root@freebsd8:~# tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58'
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
Segmentation fault: 11 (core dumped)

>Fix:
There is a fix in the libpcap repository:

https://github.com/mcr/libpcap/commit/ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7

but the tcpdump-workers have been pretty tardy about putting out newer code, so it sits there stalled.

With the patch applied, it all works well and you should see something like this:

-=-
$ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58' 
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6, multicast listener queryv2  [gaddr ::], length 28
-=-

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105192153.p4JLrvtH004172>