New installation of Bro crashes and core dumps with error indicating ssh/binpac

Description

diag results:
[BroControl] > diag
[bro]

Bro 2.3-633
Linux 3.2.0-4-686-pae

No gdb installed.

==== No reporter.log

==== stderr.log
listening on eth1, capture length 8192 bytes

bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT:arse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed.
/usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@"

==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited

==== .cmdline
-i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=

==== .status
RUNNING [net_run]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[BroControl] >

Environment

Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port

Activity

Show:
Ted Llewellyn
March 31, 2015, 10:42 PM
Edited

Hmmm, that URL is giving me a 403 error when I try to "git clone" it. It didn't ask me for credentials and I'm using 1.7.10.4, so I'm not sure why.

Ted Llewellyn

Jon Siwek
March 31, 2015, 7:16 PM

Ted, want to give the following patch a try?

https://github.com/bro/binpac/commit/47333b9be514aeb7c1f8c1463dc40f0157181f60

This is in the topic/jsiwek/bit-1361 branch of the binpac git repository.

Ted Llewellyn
March 31, 2015, 4:37 PM

I have attached a backtrace from 3/31/215.

Jon Siwek
March 31, 2015, 4:15 PM

I have a pcap that reproduces this if anyone wants it let me know. I also started looking at fixing the problem this morning and have a general idea what BinPAC does wrong, but not certain yet what change to do to the code gen.

Merged

Assignee

Robin Sommer

Reporter

Ted Llewellyn

Labels

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal