tcpdump 4.7.4 bus error at print-nfs.c:936 on Solaris SPARC

[irwintillman]

Platform:
tcpdump 4.7.4
libpcap 1.7.4
Solaris 10 on SPARC
gcc 4.9.2

% /usr/local/etc/tcpdump-4.7.4 -h
tcpdump-4.7.4 version 4.7.4
libpcap version 1.7.4
OpenSSL 1.0.2c 12 Jun 2015
Usage: tcpdump-4.7.4 [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]

tcpdump crashes reading a particular packet:

% /usr/local/etc/tcpdump-4.7.4 -r /var/local/data/incidents/samp20150824a.pcap -ne
reading from file /var/local/data/incidents/samp20150824a.pcap, link-type EN10MB (Ethernet)
Bus Error (core dumped)

Here's the uuencoded packet capture file:

begin 600 samp20150824a.pcap
MH;+#U " 0 $ !5=MNP -[Z8 "V M@ 43^)W
M#D!5.0JMP0@ 10 J)>:0 !C%&@'""@HRTXL@( 0/$#9/7=@>1.^ &"_R
M;X( $!" HOQ:/3#H%7D( '#2C7(= 0
M @ < " ";0 "B@ 0 !
J @ $;@ $99MI5<RJKC4L:5A,3=@f"@-'.$Q-V"8* T<X

end

% gdb /usr/local/etc/tcpdump-4.7.4 /var/core/core.tcpdump-4.7.4.621.28468
GNU gdb (GDB) 7.8.2
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/etc/tcpdump-4.7.4...done.
[New LWP 1]
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]
Core was generated by `/usr/local/etc/tcpdump-4.7.4 -r /var/local/data/incidents/samp20150824a.pcap -n'.
Program terminated with signal SIGBUS, Bus error.
#0 xid_map_find (vers=, proc=, bp=, rp=) at print-nfs.c:936

936 uint32_t xid = rp->rm_xid;
(gdb) bt
#0 xid_map_find (vers=, proc=, bp=, rp=) at print-nfs.c:936
#1 nfsreply_print_noaddr (ndo=0x1c6fc0 , bp=0x1cd6a6 "\322\215r\035", length=112, bp2=0x1cd66e "E") at print-nfs.c:383
#2 0x0008ccf0 in tcp_print (ndo=0x1c6fc0 , bp=0x1cd682 "\b\001\003\377\020\066O]\330\036D\357\200\030/\362o\202", length=, bp2=0x1cd66e "E", fragmented=0) at print-tcp.c:748
#3 0x0004344c in ip_print_demux (ndo=0x1c6fc0 , ipds=0xffbfee08) at print-ip.c:377
#4 0x0004394c in ip_print (ndo=0x1c6fc0 , bp=, length=168) at print-ip.c:650
#5 0x0003a6e8 in ethertype_print (ndo=0x1c6fc0 , ether_type=2048, p=0x1cd66e "E", length=168, caplen=168) at print-ether.c:323
#6 0x0003ae84 in ether_print (ndo=0x1c6fc0 , p=0x1cd66e "E", length=168, caplen=168, print_encap_header=0x0, encap_header_arg=0x0) at print-ether.c:222
#7 0x0003af84 in ether_if_print (ndo=, h=0xffbff01c, p=0x1cd660 "") at print-ether.c:246
#8 0x00019e8c in print_packet (user=0xffbff73c "", h=0xffbff01c, sp=0x1cd660 "") at tcpdump.c:2466
#9 0xff148900 in pcap_offline_read (p=0x1cce58, cnt=-1, callback=0x19e20 <print_packet>, user=0xffbff73c "") at savefile.c:409
#10 0xff1399fc in pcap_loop (p=0x1cce58, cnt=-1, callback=0x19e20 <print_packet>, user=0xffbff73c "") at pcap.c:861
#11 0x0001ba30 in main (argc=, argv=) at tcpdump.c:2002

(gdb)

Adding -q makes the problem go away:

% /usr/local/etc/tcpdump-4.7.4 -r /var/local/data/incidents/samp20150824a.pcap -ne -q
reading from file /var/local/data/incidents/samp20150824a.pcap, link-type EN10MB (Ethernet)
15:21:36.913318 40:55:39:0a:ad:c1 > 00:14:4f:e2:77:0e, IPv4, length 182: 128.112.130.130.2049 > 140.180.226.200.1023: tcp 116

When I look at the packet using tshark, I can see it's an NFS packet:

% tshark -V -r /var/local/data/incidents/samp20150824a.pcap

Frame 1: 182 bytes on wire (1456 bits), 182 bytes captured (1456 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Aug 24, 2015 15:21:36.913318000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1440444096.913318000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 182 bytes (1456 bits)
Capture Length: 182 bytes (1456 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:data]
Ethernet II, Src: Cisco_0a:ad:c1 (40:55:39:0a:ad:c1), Dst: Oracle_e2:77:0e (00:14:4f:e2:77:0e)
Destination: Oracle_e2:77:0e (00:14:4f:e2:77:0e)
Address: Oracle_e2:77:0e (00:14:4f:e2:77:0e)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_0a:ad:c1 (40:55:39:0a:ad:c1)
Address: Cisco_0a:ad:c1 (40:55:39:0a:ad:c1)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 128.112.130.130 (128.112.130.130), Dst: 140.180.226.200 (140.180.226.200)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 168
Identification: 0x979a (38810)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (6)
Header checksum: 0x3146 [validation disabled]
[Good: False]
[Bad: False]
Source: 128.112.130.130 (128.112.130.130)
Destination: 140.180.226.200 (140.180.226.200)
Transmission Control Protocol, Src Port: 2049 (2049), Dst Port: 1023 (1023), Seq: 1, Ack: 1, Len: 116
Source Port: 2049 (2049)
Destination Port: 1023 (1023)
[Stream index: 0]
[TCP Segment Len: 116]
Sequence number: 1 (relative sequence number)
[Next sequence number: 117 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 32 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 12274
[Calculated window size: 12274]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x6f82 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 801481683, TSecr 243357584
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 801481683
Timestamp echo reply: 243357584
[SEQ/ACK analysis]
[Bytes in flight: 116]
Data (116 bytes)

0000 80 00 00 70 d2 8d 72 1d 00 00 00 01 00 00 00 00 ...p..r.........
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 02 00 00 01 c0 00 00 00 02 00 00 02 6d ...............m
0030 00 00 0a 28 00 00 00 00 00 00 10 00 00 00 00 00 ...(............
0040 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 80 00 04 6e 00 00 00 00 04 65 9b 69 55 cc aa ae ...n.....e.iU...
0060 35 2c 69 58 4c 4d d8 26 0a 03 47 38 4c 4d d8 26 5,iXLM.&..G8LM.&
0070 0a 03 47 38 ..G8
Data: 80000070d28d721d00000001000000000000000000000000...
[Length: 116]

This reminds me of #395

[infrastation]

Thank you for the report. I confirm this issue reproduces as described.

[guyharris]

Should now be fixed in the trunk in the GitHub repository. I'll propagate that to the 4.7 branch as soon as it shows up in the bpf.tcpdump.org repository.

[guyharris]

If you're willing to have that capture - or a sanitized version of it - added to the tcpdump repository as a test case (so that it'll be tested by "make check", which I think the OpenCSW builds do), please let us know and make it available.

[infrastation]

The capture is in the original description (search for "begin 600").

[infrastation]

I confirm the latest commit fixes the issue.

[guyharris]

The capture is in the original description (search for "begin 600").

$ uudecode unaligned-nfs.pcap.uu 
uudecode: 
        input file: unaligned-nfs.pcap.uu
        encoded file: samp20150824a.pcap
        character out of range: [33-96]

I tried that both with text copied from the page and with text copied by opening the original post for editing and copying the text from there.

[irwintillman]

Fix confirmed here too. Thanks.

If you're willing to have that capture - or a sanitized version of it - added to the tcpdump repository
as a test case (so that it'll be tested by "make check", which I think the OpenCSW builds do),
please let us know and make it available.

Yes.
Perhaps uuencoding it using Base64 and wrapping it in

 might be safer.  Here it is:

begin-base64 600 samp20150824a.pcap
obLD1AACAAQAAAAAAAAAAAAEAAAAAAABVdtuwAAN76YAAAC2AAAAtgAUT+J3DkBVOQqt
wQgARQAAqJeaQAA/BjFGgHCCgoy04sgIAQP/EDZPXdgeRO+AGC/yb4IAAAEBCAovxaPT
DoFXkIAAAHDSjXIdAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAcAAAAACAAAC
bQAACigAAAAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAAAAgAAEbgAAAAAEZZtpVcyqrjUs
aVhMTdgmCgNHOExN2CYKA0c4
====

[guyharris]

OK, that worked.

I've backported the fix to the 4.7 branch and pushed it.