Segmentation fault when specify a specific filter with Captagent 6.4.1

[tuan-pham-hoiio]

Hi, I am upgrading from Captagent 6.3.1 to 6.4.1. In the process, I could not get Captagent 6.4.1 to work with this socket_pcap.xml:

<?xml version="1.0"?>
<document type="captagent_module/xml">
  <module name="socket_pcap" description="HEP Socket" serial="2014010402">
    <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
      <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <param name="websocket-detection" value="false"/>
        <param name="tcpdefrag" value="false"/>
        <param name="capture-plan" value="sip_capture_plan.cfg"/>
        <param name="filter">
          <value>portrange 5000-6000 and not host 192.168.1.123</value>
        </param>
      </settings>
    </profile>
  </module>
</document>

It continually throw out error like this segfault at 0 ip 00007f71deba4ffc sp 00007f71ddcb4e20 error 4 in socket_pcap.so[7f71deba1000+e000].

When changing to other portrange, Captagent return to normal.

Can you check why this specific portrange is not applicable.

Thank you a lot.

[kYroL01]

I dont think the problem is the portrange to be honest, as the filter is only a simple BPF filter that works with BPF rules. Let me quickly check and see what it could be.

Anyway if it's generate a corecump you can run coredumpctl debug and see where the captagent blobks.

[kYroL01]

Hi @tuan-pham-hoiio I just tested version 6.4.1 with your specific BPF filter and I don't have any issues on running captagent. It starts with no issue

[DEBUG] socket_pcap.c:1142 BPF Filter => Index: [0], Expression: [(portrange 5000-6000 and not host 192.168.1.123)], Reasm: [0]
[DEBUG] conf_function.c:456 find_export_record: found <msg_check> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <parse_sip> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <send_hep> in module transport_hep [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <sip_has_sdp> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <check_rtcp_ipport> in module database_hash [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] socket_pcap.c:1055 Setting device: any

[DEBUG] socket_pcap.c:1207 Index in proto_collect(): index: [0]
[DEBUG] socket_pcap.c:1263 Link offset interface type [113] [16]
[DEBUG] socket_pcap.c:1089 Activated device [any] at index [1]

[DEBUG] socket_pcap.c:1136 Filter for index [1]: [(portrange 8000-30000 and len >=64 ) and (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc)]
[DEBUG] socket_pcap.c:1142 BPF Filter => Index: [1], Expression: [(portrange 8000-30000 and len >=64 ) and (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc)], Reasm: [0]
[DEBUG] conf_function.c:456 find_export_record: found <msg_check> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <is_rtcp> in module protocol_rtcp [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <is_rtcp_exist> in module database_hash [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <parse_rtcp_to_json> in module protocol_rtcp [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <send_hep> in module transport_hep [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] conf_function.c:456 find_export_record: found <clog> in module protocol_sip [/usr/local/captagent/lib/captagent/modules]
[DEBUG] captagent.c:359 The Captagent is ready
[DEBUG] socket_pcap.c:1207 Index in proto_collect(): index: [1]
[DEBUG] socket_pcap.c:1263 Link offset interface type [113] [16]

Unfortunately I cannot reproduce it. In case of further information, please provide it, but this is not a global issue for captagent.

Thank you

[tuan-pham-hoiio]

Thanks for the investigation. Sorry for taking so long to generate the core dump file. It threw out this in the file. Can you look through it? @kYroL01

#0  0x00007f1e72215ffc in callback_proto (arg=0x7f1e71327ee4 "", pkthdr=0x7f1e71327dc0, packet=0x7f1e7132a044 <error: Cannot access memory at address 0x7f1e7132a044>) at socket_pcap.c:555
555         ip_ver = ip4_pkt->ip_v;```

[btriller]

That occurs if listening on device any. Ethertype offset is different in SLL header than from ethernet header, so if last two bytes in SLL's link-layer address field [1] matches ethertype VLAN ipv4_pkt is not set, because type_ip is not set, hence this segfault.

https://github.com/sipcapture/captagent/blob/47f67cc764db8ff0d3664228bd4abbd4649cff94/src/modules/socket/pcap/socket_pcap.c#L468-L479 https://github.com/sipcapture/captagent/blob/47f67cc764db8ff0d3664228bd4abbd4649cff94/src/modules/socket/pcap/socket_pcap.c#L504-L507 https://github.com/sipcapture/captagent/blob/47f67cc764db8ff0d3664228bd4abbd4649cff94/src/modules/socket/pcap/socket_pcap.c#L522-L528

[1] https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html

[tuan-pham-hoiio]

Thank you for your info @btriller. So basically, i can overcome this by setting the device part to specific interface?

[kYroL01]

Yes, that's always better than left any, that sometimes creates issues. When you can specify the networking interface, do it.

[tuan-pham-hoiio]

hi @kYroL01, I have already change dev to a specific interface, but the error is still being raised. Can you recommend where I could look next?

And seem like another user experiencing my bug https://github.com/sipcapture/captagent/issues/272.

[kYroL01]

Hi @tuan-pham-hoiio I cannot reproduce the issue, to be honest, so it could be something with this particular traffic.. Do u have a sample of this traffic so I will try to see it once I have time ?

IMHO the thing is that when you put port 5060 the traffic has no issue, but when you extend the port range, some bad non-SIP, or VLAN tag pkt create the problem.

[tuan-pham-hoiio]

Here is a 30-second-traffic pcap file: test_traffic.tar.gz

Thank you so much for your support ^^.

[maltris]

I have just encountered named problem and can confirm that with Debian Bookworm setting the explicit interface, the error is gone. But I am still curious: In a setup with 2 or more capturing interfaces (for example with bonding for failover capability), how would I have to adjust the config to incorporate all?

[kYroL01]

Hi @maltris IMHO if you have 2 interfaces and you want to monitor them both you can create a bond-new with these two interfaces inside, so you can set this new bond in dev=. Unfortunately, the any does not work the same for all the OS, it's also depending the libpcap version you have. This is my suggestion.