Segmentation fault - on various ocasions

[jacekkotynski]

Hello Firstly: I've been using/testing your tool for a research project and I think it's great.

However on various occasions it crashed for me with a segmentation fault error. One case was when my load balancer called back to the server to check if it was alive.

The second occasion was when I tried to access my test server with my mobile: Using interface: eth0 Loaded 268 signatures [2016-05-23 22:45:58] New FingerPrint [0] Detected, dynamically adding to in-memory fingerprint database [2016-05-23 22:45:58] New Fingerprint "Dynamic debian8-tmpl 0": TLSv1.2 connection from X.Y.Z.P:47022 to K.L.M.N:443 Servername: "W.Q.net" [2016-05-23 22:45:58] New FingerPrint [1] Detected, dynamically adding to in-memory fingerprint database [2016-05-23 22:48:54] New FingerPrint [0] Detected, dynamically adding to in-memory fingerprint database [2016-05-23 22:48:54] New Fingerprint "Dynamic debian8-tmpl 0": TLSv1.2 connection from X.Y.Z.P:47022 to K.L.M.N:443 Servername: "W.Q.net" Segmentation fault

I don't know what exactly is going on and why there is a segmentation fault but it seems to be something that could use error handling. Event thou the fingerprint was recoreded correctly before the app crashed.

[LeeBrotherston]

Thanks very much for the input, it's really useful! And I'm always happy to hear of people using the tool :)

Can I just confirm a couple of things quickly please? Do you know which version you're running (I added some error handing for weird offsets about 3 or 4 days ago, so if it's that causing the issue I may have coincidentally fixed it recently).

Interesting that it writes the signature out first, that gives some really useful debugging info!

Do you happen to know if you have pcaps of any packets that cause this condition? If so I'd be more than happy to use them to recreate the problem and put a fix together if you were happy to share?

[jacekkotynski]

Confirming:

1. Newest version freshly out of the github :)
2. The Fingerprint I see after clearing the file (it does not always pop in after first try but always ends with segmentation fault) - this request was done with Sony Xperia (Android 6) - Chrome Browser {"id": 0, "desc": "Dynamic debian8-tmpl 0", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x001C", "ciphersuite": "0xC02B 0xC02F 0xCCA9 0xCCA8 0xCC14 0xCC13 0xC00A 0xC014 0xC009 0xC013 0x009C 0x0035 0x002F 0x000A", "compression_length": "1", "compression": "0x00", "extensions": "0xFF01 0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x0010 0x7550 0x000B 0x000A 0x0015 ", "e_curves": "0x001D 0x0017 0x0018 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0201 0x0203 ", "ec_point_fmt": "0x00", "server_name": "someservername"
3. Unfortuneatly I don't have any pcap data :(

[LeeBrotherston]

Cool thanks - well that's a good start, thanks! Let me go and do some digging here.

[LeeBrotherston]

I don't seem to be able to reproduce on BSD based systems with clang.

Are you using Linux and/or gcc? (just to shorten my debug process)

[LeeBrotherston]

Aaaaand I just noticed that you're using Debian from the hostname... doh!

I need more coffee.

[jacekkotynski]

Debian 8 with GCC and libpcap-dev, all in newest versions if it does matter.

[LeeBrotherston]

Interesting.... passing generic traffic (e.g. my home network) through a similar box doesn't seem to cause issues, so I suspect that there is something specific to at least one of the fingerprint types that you are seeing on your network.

I'm going to attempt to get a pcap of a Sony Xperia (Android 6) - Chrome Browser to see if it generates something in the packet that's upsetting things.

[LeeBrotherston]

Wow - that was difficult, but I think I found it and fixed it.

In short, I think you will experience the problem when all the following are met:

• Parsing a client hello packet
• A single TLS extension is more than 255 bytes long
• You are running on Linux/gcc

more details here: https://github.com/LeeBrotherston/tls-fingerprinting/commit/b278f2ab2a97739bb661c134430f4e5b0d508c01#diff-8eaf2f10f743be8f8ae1baeb76f58c87

If you find that this fixes the issue I'll close the issue and have a celebration ;)

[jacekkotynski]

Hi Just tested it on a remote environment and the fix works! :) I have one more border case regarding a load balancer hitting the same interface that the server is working on but I assume that with high probability it will work too (I'll test it on Monday).

But so far I think this can be considered fixed :) Thank You very Much this fix is highly appreciated :)