Crash (Segmentation fault) in application.

First, thanks for a very useful library. However, I do experience a crash similar to what was explained in 'crash application #329', but not on windows. I'm running Linux on RaspberryPi4B / 4GB, OS ver 'buster'.

When I run the following code (essentially the example-code for a WPA2 decryptor).

#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <iostream>
#include <tins/tins.h>

using namespace Tins;
using namespace std;
using namespace Crypto;

bool wpa2_callback(const PDU &pdu) 
{
    static int decrypted_pktcnt=0;

    cout << endl << "->WPA2 DECRYPTED PDU: " << decrypted_pktcnt++   << ":  type=" << pdu.pdu_type() << ", size=" << pdu.size() << endl;
    try
    {
       const Dot11Data &data = pdu.rfind_pdu<Dot11Data>();
       cout << " --- DATA FRAME ---" << endl;
       cout << "  data.src_addr: " << data.src_addr() << endl;
       cout << "  data.dst_addr: " << data.dst_addr() << endl;

       try {
            const IP &ip = pdu.rfind_pdu<IP>(); // non-const works as well
            cout << "   --- IP FRAME ---" << endl;
            cout << "    ip.src_addr: " << ip.src_addr() << endl;
            cout << "    ip.dst_addr: " << ip.dst_addr() << endl;
       }
       catch (Tins::pdu_not_found &e)
       {
            cout << "   -->PDU is no IP frame" << endl;;
       }
    }
    catch (Tins::pdu_not_found &e)
    {
        cout << "  -->PDU is no DATA frame" << endl;;
    }
    return true;
}

int main() 
{

    // Setting the relevant channel for my AP
    std::system("iwconfig wlan1 channel 9");  

    SnifferConfiguration config;
    config.set_promisc_mode(true);
    config.set_rfmon(true);

    // Make a simple WPA2 decryptor
    auto decrypt_proxy = make_wpa2_decrypter_proxy(&wpa2_callback);

    decrypt_proxy.decrypter().add_ap_data("XXXXXXXXXXXX", "TheSSID");   

    Sniffer sniffer("wlan1", config);  
    cout << "Starting the proxy decryptor" << endl;
    sniffer.sniff_loop(decrypt_proxy);

}

I get:

Starting the proxy decryptor

->WPA2 DECRYPTED PDU: 0:  type=0, size=9
(Crash!!)

It starts fine, but immediately crashes/seg-faults when the pdu.rfind_pdu<Dot11Data>() is executed. Strangely this only occurs when linking with LIBTINS 4.3, 4.2, but it works just fine when linking with 4.1 ??

Notes:

I build the LIBTINS w: cmake ../ -DLIBTINS_ENABLE_CXX11=1 NB! The build did contain warnings, but all tests passed.

I compile and link the application like this:

g++ -I. -std=c++11 -Wall -O3 -g3 -c -fmessage-length=0 ip_decryptor_test1.cpp
g++ -o ip_decryptor_test1 /home/pi/libtins_4.X/libtins.so ip_decryptor_test1.o -lpthread -ldl

where /home/pi/libtins_4.X contains the libtins.so (linked to the libtins.so.4.x in the same location)

I run the application like: su root -c "export LD_LIBRARY_PATH=/home/pi/libtins_4.3; /home/pi/git/sectool-prototype/box/build/ip_decryptor_test1"

A gdb backtrace gives me:

    Starting program: /home/pi/ip_decryptor_test1
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
    [Detaching after fork from child process 6037]
    Starting the proxy decryptor

    ->WPA2 DECRYPTED PDU: 0:  type=0, size=98

    Program received signal SIGSEGV, Segmentation fault.
    Tins::RadioTap::matches_response (this=0x2b3a0, ptr=0xd <error: Cannot access memory at address 0xd>, total_sz=1)
        at /home/pi/4.3/libtins-master/src/radiotap.cpp:348
    348     bool RadioTap::matches_response(const uint8_t* ptr, uint32_t total_sz) const {
    (gdb) bt
    #0  Tins::RadioTap::matches_response (this=0x2b3a0, ptr=0xd <error: Cannot access memory at address 0xd>, total_sz=1)
        at /home/pi/4.3/libtins-master/src/radiotap.cpp:348
    #1  0x000120d8 in Tins::PDU::find_pdu<Tins::Dot11Data> (type=<optimized out>, this=<optimized out>) at /usr/include/c++/8/ostream:612
    #2  Tins::PDU::rfind_pdu<Tins::Dot11Data> (type=<optimized out>, this=<optimized out>) at /usr/include/tins/pdu.h:384
    #3  Tins::PDU::rfind_pdu<Tins::Dot11Data> (type=<optimized out>, this=<optimized out>) at /usr/include/tins/pdu.h:398
    #4  wpa2_callback (pdu=...) at ip_decryptor_test1.cpp:25
    #5  0x00012ad0 in Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter>::operator() (pdu=...,
        this=<optimized out>) at /usr/include/tins/crypto.h:524
    #6  Tins::Internals::invoke_loop_cb<Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter>, Tins::Packet>(Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter>&, Tins::Packet&, std::enable_if<(!Tins::Internals::accepts_type<Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter>, Tins::Packet, void>::value)&&(!Tins::Internals::accepts_type<Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter>, Tins::Packet&, void>::value), bool>::type*) (p=..., f=...) at /usr/include/tins/detail/type_traits.h:115
    #7  Tins::BaseSniffer::sniff_loop<Tins::Crypto::DecrypterProxy<bool (*)(Tins::PDU const&), Tins::Crypto::WPA2Decrypter> > (
        this=this@entry=0xbefff418, function=..., max_packets=max_packets@entry=0) at /usr/include/tins/sniffer.h:677
    #8  0x00011d24 in main () at /usr/include/tins/crypto.h:434
    (gdb)

Does this mean anything to you? Is it a bug or am I doing something wrong here? (wouldn't be the first - and probably not the last).

Thanks in advance stepen

mfontanini / libtins

Crash (Segmentation fault) in application. #381