[netsa-tools-discuss] Segv in super_mediator 1.5.4
Emily Sarneso
ecoff at cert.org
Thu May 17 13:02:23 EDT 2018
Hello Ulrik,
Is YAF generating your IPFIX stream? Super_mediator only expects YAF generated IPFIX data and will likely fail otherwise. If so, can you please let us know what versions of YAF, fixbuf, and super_mediator you are using.
Thanks,
Emily
On 5/17/18, 9:53 AM, "netsa-tools-discuss-bounces+ecoff=sei.cmu.edu at cert.org on behalf of Ulrik Haugen" <netsa-tools-discuss-bounces+ecoff=sei.cmu.edu at cert.org on behalf of ulrik.haugen at liu.se> wrote:
Hello!
I'm trying to deploy super_mediator to distribute our ipfix streams to
multiple destinations.
Unfortunately it suffers frequent crashes with signal segv. I have
examined the core dump from one of them and it seems that the err
pointer passed to mdForwardFlow is not always populated on false
returns:
# gdb -q /usr/bin/super_mediator core.21218
Reading symbols from /usr/bin/super_mediator...Reading symbols from /usr/lib/debug/usr/bin/super_mediator.debug...done.
done.
[New LWP 21218]
[New LWP 21219]
[New LWP 21220]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/bin/super_mediator -c /etc/super_mediator.conf'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000041aef2 in mdCollectFBuf (err=0x7ffc414e9800, collector=0x11e7870, ctx=0x7ffc414e9810) at mediator_open.c:1114
1114 g_warning("Error: %s", (*err)->message);
(gdb) bt
#0 0x000000000041aef2 in mdCollectFBuf (err=0x7ffc414e9800, collector=0x11e7870, ctx=0x7ffc414e9810) at mediator_open.c:1114
#1 mdCollectorWait (ctx=ctx at entry=0x7ffc414e9810, err=err at entry=0x7ffc414e9800) at mediator_open.c:1184
#2 0x000000000040536f in main (argc=1, argv=0x7ffc414e9a88) at mediator.c:544
(gdb) p err
$1 = (GError **) 0x7ffc414e9800
(gdb) p *err
$2 = (GError *) 0x0
(gdb) p ctx
$3 = (mdContext_t *) 0x7ffc414e9810
(gdb) p *ctx
$4 = {cfg = 0x650ca0 <md_config>, stats = 0x11e9080, err = 0x0}
(gdb) p *(ctx->cfg)
$5 = {flowsrc = 0x11e7870, flowexit = 0x11e9040, maps = 0x0, log = 0x0, mdspread = 0x0, collector_name = 0x11dcf50 "C1", log_cond = {__data = {__lock = 0, __futex = 1, __total_seq = 1, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x650d00 <md_config+96>, __nwaiters = 2, __broadcast_seq = 0},
__size = "\000\000\000\000\001\000\000\000\001", '\000' <repeats 24 times>, "\re\000\000\000\000\000\002\000\000\000\000\000\000", __align = 4294967296}, log_mutex = {__data = {__lock = 1, __count = 0, __owner = 21218, __nusers = 2, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0,
__next = 0x0}}, __size = "\001\000\000\000\000\000\000\000\342R\000\000\002", '\000' <repeats 26 times>, __align = 1}, no_stats = 0, ipfixSpreadTrans = 0, lockmode = 0, dns_base64_encode = 0, dns_print_lastseen = 0, shared_filter = 0, gen_tombstone = 0, tombstone_configured_id = 0,
tombstone_unique_id = 28115, udp_template_timeout = 600, ctime = 1526483954688, current_domain = 524288, usec_sleep = 0, num_listeners = 0 '\000', collector_id = 1 '\001'}
(gdb) p *(ctx->stats)
$6 = {recvd_flows = 1269957, dns = 0, recvd_filtered = 0, recvd_stats = 0, nonstd_flows = 0, uniflows = 0, files = 0, restarts = 0}
(gdb) p ipfixFullFlow
$7 = {flowStartMilliseconds = 1526483922688, flowEndMilliseconds = 1526483922688, octetTotalCount = 40, reverseOctetTotalCount = 0, octetDeltaCount = 40, reverseOctetDeltaCount = 0, packetTotalCount = 1, reversePacketTotalCount = 0, packetDeltaCount = 1, reversePacketDeltaCount = 0,
sourceIPv6Address = '\000' <repeats 15 times>, destinationIPv6Address = '\000' <repeats 15 times>, sourceIPv4Address = 96209668, destinationIPv4Address = 2196545307, sourceTransportPort = 43134, destinationTransportPort = 1559, flowAttributes = 0, reverseFlowAttributes = 0, protocolIdentifier = 6 '\006',
flowEndReason = 1 '\001', silkAppLabel = 0, reverseFlowDeltaMilliseconds = 0, tcpSequenceNumber = 0, reverseTcpSequenceNumber = 0, initialTCPFlags = 0 '\000', unionTCPFlags = 0 '\000', reverseInitialTCPFlags = 0 '\000', reverseUnionTCPFlags = 0 '\000', vlanId = 10, reverseVlanId = 0,
ingressInterface = 523, egressInterface = 527, ipClassOfService = 0 '\000', reverseIpClassOfService = 0 '\000', mplsTopLabelStackSection = "\000\000", mplsLabelStackSection2 = "\000\000", mplsLabelStackSection3 = "\000\000", paddingOctets = 0 '\000', observationDomainId = 524288,
yafFlowKeyHash = 797897288, nDPIL7Protocol = 0, nDPIL7SubProtocol = 0, subTemplateMultiList = {firstEntry = 0x0, numElements = 0, semantic = 0 '\000'}}
(gdb) p tid
$8 = 512
(gdb) quit
The relevant parts of the configuration look like this:
# grep -v '^#' /etc/super_mediator.conf
COLLECTOR UDP
PORT 9997
COLLECTOR END
EXPORTER UDP
HOST "localhost"
PORT 4739
EXPORTER END
EXPORTER UDP
HOST "RE.DA.CT.ED"
PORT 9997
EXPORTER END
LOGLEVEL DEBUG
LOG local3
PIDFILE "/srv/netsa/var/super_mediator.pid"
Also we are getting lots of log messages like this, i don't think they
are related to this but rather the nic or some network equipment along
the way not keeping up:
local3/warning super_mediator[30953]: IPFIX Message out of sequence (in domain 00080000, expected 5eaa66d2, got 5eaa66d6)
I will try to address this with hardware replacements so this is just
meant as a fyi.
Please let me know if there is any other information i can supply to
help you fix this!
Best regards
/Ulrik Haugen
Linköping university incident response team
More information about the netsa-tools-discuss
mailing list