Closed keithjjones closed 1 year ago
I was able to demangle the names:
$ cat t | c++filt
binpac::BACNET::BACNET_Flow::process_i_am(std::vector<binpac::BACNET::BACnet_Tag*, std::allocator<binpac::BACNET::BACnet_Tag*> >*);binpac::BACNET::Unconfirmed_Request_PDU::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int);binpac::BACNET::APDU_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int);binpac:
:BACNET::NPDU_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int);_ZN6binpac6BACNET14Forwarded_NPDU5P
arseEPKhS3_PNS0_13ContextBACNETEi;binpac::BACNET::BVLC_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int);binpac::BACNET::BACNET_Flow::NewData(unsigned char const*, unsigned char const*);analyzer::BACNET::BACNET_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int);zeek::analyzer::Analyzer::Ne
xtPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int);zeek::analyzer::Analyzer::ForwardPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int);_ZN4zeek15packet_analysis3UDP11UDPAna
lyzer13DeliverPacketEPNS_10ConnectionEdbiPNS_6PacketE;zeek::packet_analysis::IP::IPBasedAnalyzer::AnalyzePacket(unsigned long, unsigned char const*, zeek::Packet*);zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const;zeek::packet_analysis::IP::IPAnalyzer::AnalyzePacket(unsigned long, unsigned char const*, zeek::Pac
ket*);zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const;_ZNK4zeek15packet_analysis8Analyzer13Fo
rwardPacketEmPKhPNS_6PacketEj;zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const;zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const;zeek::packet_analysis::Manager::ProcessPacket(zeek::Packet*);zeek::run_state::detail::dispatch_packet(zeek::Packet
*, zeek::iosource::PktSrc*);zeek::iosource::PktSrc::Process();zeek::run_state::detail::run_loop();mai
n;__libc_start_main;_start
With newlines:
$ cat t | c++filt | tr ';' '\n'
binpac::BACNET::BACNET_Flow::process_i_am(std::vector<binpac::BACNET::BACnet_Tag*, std::allocator<binpac::BACNET::BACnet_Tag*> >*)
binpac::BACNET::Unconfirmed_Request_PDU::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int)
binpac::BACNET::APDU_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int)
binpac::BACNET::NPDU_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int)
_ZN6binpac6BACNET14Forwarded_NPDU5P
arseEPKhS3_PNS0_13ContextBACNETEi
binpac::BACNET::BVLC_Header::Parse(unsigned char const*, unsigned char const*, binpac::BACNET::ContextBACNET*, int)
binpac::BACNET::BACNET_Flow::NewData(unsigned char const*, unsigned char const*)
analyzer::BACNET::BACNET_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int)
zeek::analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int)
zeek::analyzer::Analyzer::ForwardPacket(int, unsigned char const*, bool, unsigned long, zeek::IP_Hdr const*, int)
_ZN4zeek15packet_analysis3UDP11UDPAna
lyzer13DeliverPacketEPNS_10ConnectionEdbiPNS_6PacketE
zeek::packet_analysis::IP::IPBasedAnalyzer::AnalyzePacket(unsigned long, unsigned char const*, zeek::Packet*)
zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const
zeek::packet_analysis::IP::IPAnalyzer::AnalyzePacket(unsigned long, unsigned char const*, zeek::Packet*)
zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const
_ZNK4zeek15packet_analysis8Analyzer13Fo
rwardPacketEmPKhPNS_6PacketEj
zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const
zeek::packet_analysis::Analyzer::ForwardPacket(unsigned long, unsigned char const*, zeek::Packet*, unsigned int) const
zeek::packet_analysis::Manager::ProcessPacket(zeek::Packet*)
zeek::run_state::detail::dispatch_packet(zeek::Packet*, zeek::iosource::PktSrc*)
zeek::iosource::PktSrc::Process()
zeek::run_state::detail::run_loop()
mai
n
__libc_start_main
This is the function causing the segfault: https://github.com/cisagov/icsnpp-bacnet/blob/9e1f5455bfb0d003ac7b625cc88b456e5a4d0dc2/src/bacnet-analyzer.pac#L269
I have added additional checks to that function based on number of BACnet tags and tag_lengths that could potentially cause a Seg fault. Unfortunately, without a packet capture to test on I am unable to confirm whether or not the latest commit has fixed the issue. Please let me know if you are still seeing these Seg faults with the newest commit/update.
Thanks!
This is awesome! Thank you! I've been running this for the past day and I haven't seen the segfault pop up. Thanks!
🐛 Summary
I am running this analyzer on a large university network that also has a lot of connection gaps. I saw this segfault (it's happened multiple times), but I don't know what traffic this happens on and I wouldn't be able to share the traffic from their network if I could figure out what caused it. Is this trace something that rings a bell from the code stored here? Thanks!