search

DataSoft / Honeyd

virtual honeypots
GNU General Public License v2.0
348 stars 101 forks source link

Segfault if getting spoofed packets from an IP used by honeypot #33

Closed PherricOxide closed 11 years ago

PherricOxide commented 12 years ago

Honeyd seems to segfault if you create a node with a static IP address and then spoof udp packets using FAST with the source IP set to the same as the honeydpot IP. Stack trace follows, 

#0 0x08052518 in honeyd_ether_cb (req=0x8af8b38, success=0, arg=0x8af7f5c) at honeyd.c:560
#1 0x08073930 in arp_discover (req=0x8af8b38, ha=) at arp.c:218
#2 0x0807407c in arp_request (inter=0x0, src_pa=0xbfffdab0, src_ha=0x8794168, addr=0xbfffda9c, cb=0x8052460 , arg=0x8af7f5c) at arp.c:314
#3 0x0805923c in honeyd_delay_cb (fd=-1, which=1, arg=0xbfffdb54) at honeyd.c:703
#4 0x0805347a in honeyd_delay_packet (tmpl=0x8794060, ip=0x8af7f5c, iplen=68, src=0x0, dst=0x0, ms=0, flags=6, spoof=...) at honeyd.c:835
#5 0x0805505c in honeyd_ip_send (pkt=0x8af7f5c "E", iplen=68, spoof=...) at honeyd.c:912
#6 0x08055565 in icmp_send (tmpl=0x8794060, pkt=0x8af7f5c "E", tos=0 '\000', iplen=68, df=0, ttl=64 '@', proto=1, src=4211345930, dst=4294967295, spoof=...)at honeyd.c:1616
#7 0x08056896 in icmp_error_send (tmpl=0x8794060, addr=0xbfffdfd8, type=3 '\003', code=3 '\003', rip=0xb7b63054, spoof=...) at honeyd.c:1642
#8 0x08056dbe in udp_recv_cb (tmpl=0x8794060, pkt=0xb7b63054 "E\020", pktlen=168) at honeyd.c:2504
#9 0x08058bf3 in honeyd_dispatch (tmpl=0x8794060, ip=0xb7b63054, iplen=168) at honeyd.c:2814
#10 0x08059190 in honeyd_delay_cb (fd=-1, which=1, arg=0xbfffe1d4) at honeyd.c:768
#11 0x0805347a in honeyd_delay_packet (tmpl=0x8794060, ip=0xb7b63054, iplen=168, src=0x0, dst=0x0, ms=0, flags=0, spoof=...) at honeyd.c:835
#12 0x080594e0 in honeyd_input (inter=0x8518a18, ip=0xb7b63054, iplen=) at honeyd.c:3047
#13 0x08059ad8 in honeyd_recv_cb (ag=0x8518a18 "", pkthdr=0xbfffe424, pkt=0xb7b63046 "") at honeyd.c:3202
#14 0xb7f5be64 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8
#15 0xb7f5e668 in pcap_dispatch () from /usr/lib/i386-linux-gnu/libpcap.so.0.8
#16 0x080721e4 in interface_recv (fd=14, type=2, arg=0x8518a18) at interface.c:516
#17 0xb7f98ce9 in event_base_loop () from /usr/lib/libevent-2.0.so.5
#18 0xb7f99a37 in event_loop () from /usr/lib/libevent-2.0.so.5
#19 0xb7f99a5b in event_dispatch () from /usr/lib/libevent-2.0.so.5
#20 0x08051cec in main (argc=0, argv=0xbffff82c) at honeyd.c:3691
PherricOxide commented 12 years ago

I believe this was a side effect of using the 'default' profile with a TCP reset action set. Honeyd was attempting to reply to broadcast packets and couldn't figure out what interface to use when trying to send something to 255.255.255.255. Hasn't been seen again since we changed the usage of the default profile.

altf4 commented 11 years ago

I'm going to close this and call it fixed unless we're able to see it again. Looks to be fixed.