I’m currently in the process of migrating from Bro 2.6.2 to Zeek 3.0.0, and I’m experiencing a small headache with segmentation fault in my plugins. I didn’t have this issue with Bro 2.6.2, so I’m not 100% sure what happened here.
After making name changes from Bro to Zeek, I was able to successfully compile all of the plugins. When I ran them against pcaps that are specified for the plugin, I noticed that some of the plugins threw a segmentation fault (“Segmentation fault (core dumped)”). I was replaying a pcap file like what I usually do by running:
cd ~/Desktop/logs/ && sudo rm -f *.log && zeek -C -t ~/Desktop/logs/output.log -r ~/Desktop/pcap/ testPlugin1_pcap_1.pcapng
After some troubleshooting, I noticed that only the ones that had a switch case statement inside a while loop inside main.zeek were affected by this. I do have checks to prevent resource exhaustion, so I’m not sure why the new version is not happy. Anyway, I was able to verify by cd into “/usr/local/zeek/lib/zeek/plugins/Zeek_testPlugin1/scripts” and commenting out the affected section in main.zeek. Even something as simple as this throws segmentation fault:
while (index < payload_length) {
header = bytestring_to_count(data[index]);
len = 0;
index += 1;
switch (header) {
default: ##! test
break;
}
dummy check as example
if (index > 10) {
break;
}
}
I’ve been looking at this for the last 8 hours, so more eyes would be appreciated.
The `-t` option isn't commonly used and could see it accidentally
breaking without anyone noticing. It does still seem to work for me,
but you might try removing it to see if it makes a difference.
But the best thing would be if you can provide the full directions to
be able to reproduce the segfault -- e.g. the plugin/script code along
with pcap and command-line you're using.
If you can't share those, then next best thing would be if you can run
in a debugger (gdb, lldb) and share a stack trace of the segfault.
Thanks for guidance on this! You are absolutely right. If I remove “-t ~/Desktop/logs/output.log”, then that segmentation fault goes away. I have not a clue why as it works fine for 2.6.2. I thought something was wrong with the actual code. Again, thanks for helping out with this!
Can you provide more information on how to reproduce the issue (exact
scripts/plugins/pcaps that crash every time) ? There's still a bug in
Zeek to fix here, but just adding `-t` and trying a few things hasn't
triggered it for me.
Unfortunately, I’m not at liberty to share right now. However, my colleague Blake Johnson and I might give a talk at Zeek Week next week (https://twitter.com/voteblake/status/1178787539999526912?s=20). Will you be there? I’d love to catch up with you and show you in person instead. It’s probably some silly issue/misconfiguration on my end.
Yes, I'll be at ZeekWeek and happy to take a look then. Else if you
had any minimal reproducer and/or stack trace you can actually share,
feel free to send that along in the meantime.