Bug analyzing trace with payload stripped


I'm trying to run Bro on traces with packet payloads removed and ran
across a problem where an analyzer seems to be trying to do a large
allocation due to payload that isn't in the trace. I haven't made any
modifications to Bro or its policy scripts.

I ran across the problem using Bro 1.3.2:

(gdb) run -r <trace> mt
Starting program: /n/banquet/db/tkho/bin/bro -r <trace> mt
bro: out of memory in new.

Program received signal SIGABRT, Aborted.
0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x00484815 in raise () from /lib/tls/libc.so.6
#2 0x00486279 in abort () from /lib/tls/libc.so.6
#3 0x08053220 in out_of_memory ()
#4 0x0804f730 in bro_new_handler () at main.cc:373
#5 0x0091944a in operator new () from /usr/lib/libstdc++.so.6
#6 0x081a5243 in std::vector<unsigned char, std::allocator<unsigned

>::reserve (this=0xa045e78, __n=892614210)

    at /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/ext/new_allocator.h:81
#7 0x081bc674 in binpac::SunRPC::RPC_Opaque::Parse (this=0xa045e68,
t_begin_of_data=0xa02ed60 "546B07", t_end_of_data=0xa02ed7c "",
t_byteorder=0) at rpc_pac.cc:577
#8 0x081bcf42 in binpac::SunRPC::RPC_OpaqueAuth::Parse
(this=0xa045b28, t_begin_of_data=0xa02ed5c "BNPI546B07",
t_end_of_data=0xa02ed7c "", t_byteorder=0) at rpc_pac.cc:654
#9 0x081bd10a in binpac::SunRPC::RPC_Call::Parse (this=0xa045c68,
t_begin_of_data=0xa02ed4c "", t_end_of_data=0xa02ed7c "",
t_context=0xa040bf0, t_byteorder=0) at rpc_pac.cc:191
#10 0x081be1a9 in binpac::SunRPC::RPC_Message::Parse (this=0xa046688,
t_begin_of_data=0xa02ed44 "", t_end_of_data=0xa02ed7c "",
t_context=0xa040bf0) at ../src/rpc_pac.h:155
#11 0x081be421 in binpac::SunRPC::RPC_Flow::NewData (this=0xa047910,
t_begin_of_data=0xa02ed44 "", t_end_of_data=0xa02ed7c "") at
#12 0x0813139e in RPC_UDP_Analyzer_binpac::DeliverPacket
(this=0xa0409b8, len=56, data=0xa02ed44 "", orig=true, seq=-1,
ip=0xbff786c0, caplen=8) at RPC.cc:608
#13 0x0806e496 in Analyzer::ForwardPacket (this=0xa0467d8, len=56,
data=0xa02ed44 "", is_orig=false, seq=-1, ip=0xbff786c0, caplen=8) at
#14 0x0817f6b4 in UDP_Analyzer::DeliverPacket (this=0xa0467d8, len=56,
data=0xa02ed44 "", is_orig=true, seq=-1, ip=0xbff786c0, caplen=8) at
#15 0x0807c2b3 in Connection::NextPacket (this=0xa046d9c,
t=1138500525.8319471, is_orig=1, ip=0xbff786c0, len=64, caplen=8,
data=@0x0, record_packet=@0xbff78638, record_content=@0xbff7863c,
    hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14) at Conn.cc:241
#16 0x08153270 in NetSessions::DoNextPacket (this=0xa03edc8,
t=1138500525.8319471, hdr=0xa02e728, ip_hdr=0xbff786c0, pkt=0xa02ed1a
"", hdr_size=14) at Sessions.cc:584
#17 0x081537d1 in NetSessions::NextPacket (this=0xa03edc8,
t=1138500525.8319471, hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14,
pkt_elem=0x0) at Sessions.cc:294
#18 0x0811960e in net_packet_dispatch (t=1138500525.8319471,
hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14, src_ps=0xa02e6f0,
pkt_elem=0x0) at Net.cc:402
#19 0x081198b2 in net_packet_arrival (t=1138500525.8319471,
hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14, src_ps=0xa02e6f0) at
#20 0x08126036 in PktSrc::Process (this=0xa02e6f0) at PktSrc.cc:216
#21 0x08119d21 in net_run () at Net.cc:491
#22 0x080508ee in main (argc=4, argv=0xbff78c64) at main.cc:1009

and it also occurs in Bro 1.3.27 (rev 5632) I just pulled from SVN:

(gdb) run -r <trace> mt
Starting program: /n/banquet/db/tkho/bin/bro -r <trace> mt
terminate called after throwing an instance of 'std::bad_alloc'
  what(): St9bad_alloc

Program received signal SIGABRT, Aborted.
0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x00484815 in raise () from /lib/tls/libc.so.6
#2 0x00486279 in abort () from /lib/tls/libc.so.6
#3 0x0091b1bb in __gnu_cxx::__verbose_terminate_handler () from
#4 0x00918ed1 in ?? () from /usr/lib/libstdc++.so.6
#5 0x00918f06 in std::terminate () from /usr/lib/libstdc++.so.6
#6 0x0091904f in __cxa_throw () from /usr/lib/libstdc++.so.6
#7 0x0091949c in operator new () from /usr/lib/libstdc++.so.6
#8 0x081aef57 in std::vector<unsigned char, std::allocator<unsigned

>::reserve (this=0x9454400, __n=892614210)

    at /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/ext/new_allocator.h:81
#9 0x081cb75c in binpac::SunRPC::RPC_Opaque::Parse (this=0x9455d48,
t_begin_of_data=0x943a900 "546B07", t_end_of_data=0x943a91c "",
t_byteorder=0) at rpc_pac.cc:577
#10 0x081cc02e in binpac::SunRPC::RPC_OpaqueAuth::Parse
(this=0x9454620, t_begin_of_data=0x943a8fc "BNPI546B07",
t_end_of_data=0x943a91c "", t_byteorder=0) at rpc_pac.cc:654
#11 0x081cc1f6 in binpac::SunRPC::RPC_Call::Parse (this=0x944e728,
t_begin_of_data=0x943a8ec "", t_end_of_data=0x943a91c "",
t_context=0x94557c0, t_byteorder=0) at rpc_pac.cc:191
#12 0x081cd295 in binpac::SunRPC::RPC_Message::Parse (this=0x94543d0,
t_begin_of_data=0x943a8e4 "", t_end_of_data=0x943a91c "",
t_context=0x94557c0) at ../src/rpc_pac.h:155
#13 0x081cd50d in binpac::SunRPC::RPC_Flow::NewData (this=0x944e8d0,
t_begin_of_data=0x943a8e4 "", t_end_of_data=0x943a91c "") at
#14 0x08136b42 in RPC_UDP_Analyzer_binpac::DeliverPacket
(this=0x944e190, len=56, data=0x943a8e4 "", orig=true, seq=-1,
ip=0xbff8b2a0, caplen=8) at RPC.cc:610
#15 0x0806bfa2 in Analyzer::ForwardPacket (this=0x944e480, len=56,
data=0x943a8e4 "", is_orig=false, seq=-1, ip=0xbff8b2a0, caplen=8) at
#16 0x0818826b in UDP_Analyzer::DeliverPacket (this=0x944e480, len=56,
data=0x943a8e4 "", is_orig=true, seq=-1, ip=0xbff8b2a0, caplen=8) at
#17 0x0807a163 in Connection::NextPacket (this=0x944d7ec,
t=1138500525.8319471, is_orig=1, ip=0xbff8b2a0, len=64, caplen=8,
data=@0x0, record_packet=@0xbff8b218, record_content=@0xbff8b21c,
    hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14) at Conn.cc:263
#18 0x08159f60 in NetSessions::DoNextPacket (this=0x944a968,
t=1138500525.8319471, hdr=0x943a2c8, ip_hdr=0xbff8b2a0, pkt=0x943a8ba
"", hdr_size=14) at Sessions.cc:675
#19 0x0815a50d in NetSessions::NextPacket (this=0x944a968,
t=1138500525.8319471, hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14,
pkt_elem=0x0) at Sessions.cc:319
#20 0x0811e8ce in net_packet_dispatch (t=1138500525.8319471,
hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14, src_ps=0x943a290,
pkt_elem=0x0) at Net.cc:417
#21 0x0811eb5a in net_packet_arrival (t=1138500525.8319471,
hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14, src_ps=0x943a290) at
#22 0x0812b61a in PktSrc::Process (this=0x943a290) at PktSrc.cc:216
#23 0x0811efce in net_run () at Net.cc:508
#24 0x0805004a in main (argc=4, argv=0xbff8b854) at main.cc:965