ssl.bro and --use-binpac cause 100%cpu on bro v1.5.1 (sslv2 trafic on another port than 443)

Description

Hi,
I have 100% cpu (after waiting 5 minutes) on bro v1.5.1 (ipv6) with ssl.bro and --use-binpac.
Joigned pcap file.

gdb ./bro151ipv6
GNU gdb Red Hat Linux (6.6-16.fc7rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r --use-binpac -r bro151ipv6binpacssl100pourcentcpu.pcap ssl
Starting program: bro151ipv6 --use-binpac -r bro151ipv6binpacssl100pourcentcpu.pcap ssl
X509: Using the default trusted cert path.
1236846591.230856 warning: SSL_Analyzer_binpac: storage of certificates (ssl_store_certificates) not supported

  •  

    •  

      •  

        •  

          •  

            •  

              •  

                •  

                  •  

                    •  

                      •  

                        •  

                          •  

                            •  

                              •  

                                •  

                                  •  

                                    • AFTER 5 MINUTES *******************

Program received signal SIGINT, Interrupt.
0x08218b89 in binpac::SSL::SSLFlow::NewData (this=0x873a458,
t_begin_of_data=0x89377d8 "", t_end_of_data=0x8937800 "")
at ssl_pac.cc:2967
2967 context_ = new ContextSSL(connection(), this, flow_buffer_);
(gdb) bt full
#0 0x08218b89 in binpac::SSL::SSLFlow::NewData (this=0x873a458,
t_begin_of_data=0x89377d8 "", t_end_of_data=0x8937800 "")
at ssl_pac.cc:2967
t_dataunit_parsing_complete = <value optimized out>
PRETTY_FUNCTION = "virtual void binpac::SSL::SSLFlow::NewData(const binpac::uint8*, const binpac::uint8*)"
0x08210173 in binpac::SSL::SSLAnalyzer::next_record (this=0x8738970,
rec=@0xbfdac314, type=22, version=769, is_orig=true) at ssl_pac.cc:2488
No locals.
0x08219662 in binpac::SSLRecordLayer::SSLRecordLayerAnalyzer::forward_record (this=0x8939520, fragment=@0xbfdac314, type=22, version=769, is_orig=true)
at ssl-record-layer_pac.cc:264
No locals.
0x0821a2cc in binpac::SSLRecordLayer::SSLPDU:arseBuffer (this=0x8960690,
t_flow_buffer=0x8939560, t_context=0x8939708)
at ssl-record-layer_pac.cc:162
t_fragment_string_length = <value optimized out>
t_begin_of_data = <value optimized out>
t_end_of_data = <value optimized out>
PRETTY_FUNCTION = "bool binpac::SSLRecordLayer::SSLPDU:arseBuffer(binpac::FlowBuffer*, binpac::SSLRecordLayer::ContextSSLRecordLayer*)"
0x0821a93a in binpac::SSLRecordLayer::SSLRecordLayerFlow::NewData (
this=0x8939540, t_begin_of_data=0x8964690 "\026\003\001",
t_end_of_data=0x896474e "") at ssl-record-layer_pac.cc:328
t_dataunit_parsing_complete = <value optimized out>
PRETTY_FUNCTION = "virtual void binpac::SSLRecordLayer::SSLRecordLayerFlow::NewData(const binpac::uint8*, const binpac::uint8*)"
0x0806f82a in Analyzer::NextStream (this=0x87391a8, len=190,
data=0xb88120 "", is_orig=160) at Analyzer.cc:362
No locals.
0x080700ce in Analyzer::ForwardStream (this=0x8738ef0, len=190,
data=0x8964690 "\026\003\001", is_orig=true) at Analyzer.cc:455
current = (Analyzer *) 0x87391a8
i = <value optimized out>
0x0819db9e in TCP_Reassembler:eliverBlock (this=0x8939668,
seq=<value optimized out>, len=190, data=0x8964690 "\026\003\001")
at TCP_Reassembler.cc:604
No locals.
0x0819de96 in TCP_Reassembler::BlockInserted (this=0x8939668,
start_block=0x895fa90) at TCP_Reassembler.cc:349
len = 190
b = (DataBlock *) 0x895fa90
e = <value optimized out>
0x0819cf7c in TCP_Reassembler:ataSent (this=0x8939668,
t=1236846592.3167939, seq=12091680, len=190,
data=0x88ee72c "\026\003\001", replaying=true) at TCP_Reassembler.cc:446
No locals.
0x0819c228 in TCP_Endpoint:ataSent (this=0x8738fc0,
t=1236846592.3167939, seq=145, len=190, caplen=190,
data=0x88ee72c "\026\003\001", ip=0xbfdac78c, tp=0x88ee70c)
at TCP_Endpoint.cc:213
status = <value optimized out>
0x081969d8 in TCP_Analyzer:eliverData (this=0x8738ef0,
t=1236846592.3167939, data=0x88ee72c "\026\003\001", len=190, caplen=190,
ip=0xbfdac78c, tp=0x88ee70c, endpoint=0x8738fc0, base_seq=3417820368,
is_orig=1, flags={flags = 24 '\030'}) at TCP.cc:986
data_seq = 145
need_contents = 141791304
0x0819be3e in TCP_Analyzer:eliverPacket (this=0x8738ef0, len=190,
data=0x88ee72c "\026\003\001", is_orig=true, seq=-1, ip=0xbfdac78c,
caplen=190) at TCP.cc:1115
tp = (const tcphdr *) 0x88ee70c
endpoint = (TCP_Endpoint *) 0x8738fc0
peer = (TCP_Endpoint *) 0x8739048
flags = {flags = 24 '\030'}
t = 1236846592.3167939
orig_addr = <value optimized out>
tcp_hdr_len = 32
seq_len = 190
last_seq = 3417820558
delta_last = <value optimized out>
do_close = <value optimized out>
gen_event = <value optimized out>
need_contents = <value optimized out>
0x080708cd in Analyzer::NextPacket (this=0x8738ef0, len=222,
data=0x88ee70c "\231M\003���3\237\207�200\030", is_orig=true, seq=-1,
ip=0xbfdac78c, caplen=12091680) at Analyzer.cc:334
No locals.
0x08084525 in Connection::NextPacket (this=0x8738dc4,
t=1236846592.3167939, is_orig=1, ip=0xbfdac78c, len=222, caplen=222,
data=@0xbfdac6ec, record_packet=@0xbfdac6e8, record_content=@0xbfdac6e4,
hdr=0x8737f50, pkt=0x88ee6ea "", hdr_size=14) at Conn.cc:247
No locals.
0x08182cd5 in NetSessions:oNextPacket (this=0x8739f18,
t=1236846592.3167939, hdr=0x8737f50, ip_hdr=0xbfdac78c, pkt=0x88ee6ea "",
hdr_size=14) at Sessions.cc:662
ih = <value optimized out>
caplen = 222
ip4 = (const ip *) 0x88ee6f8
len = <value optimized out>
proto = 6
f = (class FragReassembler *) 0x0
frag_field = <value optimized out>
min_hdr_len = <value optimized out>
data = (const u_char *) 0x88ee70c "\231M\003���3\237\207�200\030"
id = {src_addr = 0xbfdac794, dst_addr = 0xbfdac7a4, src_port = 19865,

dst_port = 57603, is_one_way = false}

d = (class Dictionary *) 0x8739fe0
pass_to_conn_compressor = <value optimized out>
h = (HashKey *) 0x8963248
conn = (class Connection *) 0x8738dc4
record_packet = 1
record_content = 1
0x0818343d in NetSessions::NextPacket (this=0x8739f18,
t=1236846592.3167939, hdr=0x8737f50, pkt=0x88ee6ea "", hdr_size=14,
pkt_elem=0x0) at Sessions.cc:305
ip_hdr = {ip4 = 0x88ee6f8, ip6 = 0x0, src_addr = {0, 0, 0, 134243338},

dst_addr = {0, 0, 0, 251683850}, del = 0}

0x0813e3d1 in net_packet_dispatch (t=1236846592.3167939, hdr=0x8737f50,
pkt=0x88ee6ea "", hdr_size=14, src_ps=0x8737f18, pkt_elem=0x0)
at Net.cc:435
tmgr = <value optimized out>
sp = <value optimized out>
load_freq = 0
0x0813e8d9 in net_packet_arrival (t=1236846592.3167939, hdr=0x8737f50,
pkt=0x88ee6ea "", hdr_size=14, src_ps=0x8737f18) at Net.cc:498
No locals.
0x0814d71f in PktSrc:rocess (this=0x8737f18) at PktSrc.cc:199
No locals.
0x0813e657 in net_run () at Net.cc:528
ts = 1236846592.3167939
src = (IOSource *) 0x8960090
0x0804f7df in main (argc=0, argv=0xbfdacc54) at main.cc:999
flow = FLOW_NEXT
f = {<BroObj> = {<SerialObj> = {_vptr.SerialObj = 0x8249228,
static NEVER = 0, static ALWAYS = 1, static factories = 0x861c930,
static names = 0x861c950, static time_counter = 974},
in_ser_cache = false, location = 0x0, ref_cnt = 1,
static suppress_runtime = 0}, frame = 0x87385a8, size = 1409,

function = 0x0, func_args = 0x0, next_stmt = 0x0,

break_before_next_stmt = false, break_on_return = false, trigger = 0x0,

call = 0x0, delayed = false}

interfaces = {<BaseList> = {entry = 0x8620528, chunk_size = 10,
max_entries = 10, num_entries = 0}, <No data fields>}
read_files = {<BaseList> = {entry = 0x8620558, chunk_size = 10,
max_entries = 10, num_entries = 1}, <No data fields>}
netflows = {<BaseList> = {entry = 0x8620588, chunk_size = 10,
max_entries = 10, num_entries = 0}, <No data fields>}
flow_files = {<BaseList> = {entry = 0x86205b8, chunk_size = 10,
max_entries = 10, num_entries = 0}, <No data fields>}
rule_files = {<BaseList> = {entry = 0x86205e8, chunk_size = 10,
max_entries = 10, num_entries = 0}, <No data fields>}
transformed_writefile = 0x0
bst_file = 0x0
id_name = 0x0
events_file = 0x0
seed_load_file = 0x0
seed_save_file = 0x0
seed = 0
dump_cfg = 0
do_watchdog = 0
override_ignore_checksums = 0
rule_debug = 0
RE_level = 4
dns_type = DNS_FAKE
oldhandler = <value optimized out>
p = <value optimized out>
long_optsind = 35
opts = "A:a:B:e:f:I:i:K:n:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlv", '\0' <repeats 195 times>
op = <value optimized out>
script_rule_files = <value optimized out>
tmp = 0x0
s = <value optimized out>
bro_alarm_file = <value optimized out>
bro_init = {handler = 0x863b128}
dead_handlers = <value optimized out>
alive_handlers = <value optimized out>
long_opts = {{name = 0x8224159 "debug-policy", has_arg = 0,
flag = 0x0, val = 100}, {name = 0x8224166 "dump-config", has_arg = 0,
flag = 0x0, val = 103}, {name = 0x8224172 "exec", has_arg = 1, flag = 0x0,
val = 101}, {name = 0x823af3d "filter", has_arg = 1, flag = 0x0,
val = 102}, {name = 0x8224177 "help", has_arg = 0, flag = 0x0, val = 104},

{name = 0x822417c "iface", has_arg = 1, flag = 0x0, val = 105}, {

name = 0x8224182 "print-scripts", has_arg = 0, flag = 0x0, val = 108}, {
name = 0x824fad3 "prefix", has_arg = 1, flag = 0x0, val = 112}, {
name = 0x8224190 "readfile", has_arg = 1, flag = 0x0, val = 114}, {
name = 0x8224199 "flowfile", has_arg = 1, flag = 0x0, val = 121}, {
name = 0x82241a2 "netflow", has_arg = 1, flag = 0x0, val = 89}, {
name = 0x82241aa "rulefile", has_arg = 1, flag = 0x0, val = 115}, {
name = 0x82241b3 "tracefile", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x82241bd "writefile", has_arg = 1, flag = 0x0, val = 119}, {
name = 0x8245c8f "version", has_arg = 0, flag = 0x0, val = 118}, {
name = 0x82241c7 "print-state", has_arg = 1, flag = 0x0, val = 120}, {
name = 0x82241d3 "analyze", has_arg = 1, flag = 0x0, val = 122}, {
name = 0x82241db "transfile", has_arg = 1, flag = 0x0, val = 65}, {
name = 0x82241e5 "no-checksums", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x82241f2 "dfa-cache", has_arg = 1, flag = 0x0, val = 68}, {
name = 0x82241fc "force-dns", has_arg = 0, flag = 0x0, val = 70}, {
name = 0x8224206 "load-seeds", has_arg = 1, flag = 0x0, val = 71}, {
name = 0x8224211 "save-seeds", has_arg = 1, flag = 0x0, val = 72}, {
name = 0x822421c "set-seed", has_arg = 1, flag = 0x0, val = 74}, {
name = 0x8224225 "md5-hashkey", has_arg = 1, flag = 0x0, val = 75}, {
name = 0x8224231 "rule-benchmark", has_arg = 0, flag = 0x0, val = 76}, {
name = 0x8224240 "optimize", has_arg = 0, flag = 0x0, val = 79}, {
name = 0x8224249 "prime-dns", has_arg = 0, flag = 0x0, val = 80}, {
name = 0x8224253 "replay", has_arg = 1, flag = 0x0, val = 82}, {
name = 0x822425a "debug-rules", has_arg = 0, flag = 0x0, val = 83}, {
name = 0x8224266 "re-level", has_arg = 1, flag = 0x0, val = 82}, {
name = 0x822426f "watchdog", has_arg = 0, flag = 0x0, val = 87}, {
name = 0x8224278 "print-id", has_arg = 1, flag = 0x0, val = 73}, {
name = 0x8224281 "status-file", has_arg = 1, flag = 0x0, val = 85}, {
name = 0x822428d "pseudo-realtime", has_arg = 2, flag = 0x0, val = 69}, {
name = 0x822429d "use-binpac", has_arg = 0, flag = 0x82b2f88, val = 1}, {
name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
(gdb)

ls -la *.log
-rw-r--r-- 1 bro bro 0 déc 29 10:49 weird.log
-rw-r--r-- 1 bro bro 0 déc 29 10:49 ssl.log
-rw-r--r-- 1 bro bro 0 déc 29 10:49 notice.log
-rw-r--r-- 1 bro bro 0 déc 29 10:49 conn.log

Regards
Rmkml
Crusoe-Researches.com

Environment

None

Assignee

Unassigned

Reporter

rmkml

Labels

External issue ID

210

Components

Affects versions

Priority

Normal
Configure