search

DataSoft / Honeyd

virtual honeypots
GNU General Public License v2.0
349 stars 103 forks source link

Segfault parsing config file #21

Closed DataSoft closed 12 years ago

DataSoft commented 12 years ago

Backtrace:

Program received signal SIGSEGV, Segmentation fault. 10:15:19 AM
0xb7d98b8e in vfprintf () from /lib/i386-linux-gnu/libc.so.6 10:15:20 AM
(gdb) backtrace 10:15:20 AM
#0  0xb7d98b8e in vfprintf () from /lib/i386-linux-gnu/libc.so.6 10:15:20 AM
#1  0xb7d98e6b in ?? () from /lib/i386-linux-gnu/libc.so.6 10:15:20 AM
#2  0xb7d93b85 in vfprintf () from /lib/i386-linux-gnu/libc.so.6 10:15:20 AM
#3  0xb7e3b1ae in vwarnx () from /lib/i386-linux-gnu/libc.so.6 10:15:22 AM
#4  0xb7e3b3e7 in verrx () from /lib/i386-linux-gnu/libc.so.6 10:15:22 AM
#5  0xb7e3b43f in errx () from /lib/i386-linux-gnu/libc.so.6 10:15:24 AM
#6  0x0806369c in template_clone (newname=0x8784218 "CustomNodeProfile-1", tmpl=0x8783db8, inter=0x0, start=0) at config.c:635 10:15:24 AM
#7  0x0805f7b6 in hydparse () at parse.y:361 10:15:26 AM
#8  0x080601f8 in parse_configuration (input=0x877ed58, name=0xbffff8fa "/usr/share/nova/nova/Config/haystack_honeyd.config") at parse.y:1227 10:15:26 AM
#9  0x08061dc1 in config_read (config=0xbffff8fa "/usr/share/nova/nova/Config/haystack_honeyd.config") at config.c:133 10:15:28 AM
#10 0x08051a88 in main (argc=0, argv=0xbffff7c4) at honeyd.c:3549
DataSoft commented 12 years ago

Offending config file: https://gist.github.com/3350989

DataSoft commented 12 years ago

The culprit seems to be the error condition at line 635 of config.c:

errx(1, "%s: cannot find interface");

This is a function like printf, which takes a format string as the second parameter, then extra arguments afterward. In this case, it takes a %s value, but never specifies a string as an argument to fill it. At which point bad things happen.

DataSoft commented 12 years ago

Fixed in 1ffe21f504a882a9c6ae913118ea7f631599dd92

Waiting to be verified.

DataSoft commented 12 years ago

I was able to reproduce this error condition. Note that the segfault happens in the call to errx(), meaning that even though this fix does solve the segfault, honeyd will still quit. Though we can make a separate Issue to handle that case if/when it comes up again.

Nodes with addresses beyond what any of the given interfaces can use should be (and usually are) handled much earlier in the parsing process.