Segfault on OSX Mavericks about ngrep HOT 5 CLOSED

From reading the report and looking at the backtrace quickly, my guess is that a newer version of libpcap broke their internal lexer restart function.

Background:

Typically ngrep is invoked with a (optional) search string plus a BPF filter. However, ngrep doesn't semantically understand BPF filter terms itself, so it assumes the first non-option parameter is the search string, and attempts to compile the remainder as the BPF filter expression. If the compilation fails, it probably means that no search string was specified, so it restarts the BPF filter expression lexer and attempts to compile the entire non-option parameter string as the expression. If that fails, then the specified BPF filter expression is definitely bogus and ngrep errors out.

I favored this approach because it made invocation simpler & more fluid. In order to make it work however, I had to solve for a bug in older versions of libpcap where the library would segfault if the BPF filter compilation function was invoked more than once. The workaround turned out to be a simple invocation of the lexer's restart function in between compilation invocations, however that function wasn't normally exposed in the header since it was an internal built-in of whatever grammar lexer libpcap had compiled with (bison/yacc/etc). Ultimately I chose to make the default behavior to restart the lexer (and keep invocation simpler), and provide a compile-time option to disable the mechanism if anyone cared to.

The bug workaround you referenced was to specify an empty search string -- which avoids the lexer restart -- and a quick lldb shows a EXC_BAD_ACCESS inside of libpcap itself. So I think my reasoning is correct.

I'll look further into this shortly and confirm a fix. A separate release is imminent.

I really appreciate you passing this along, thank you!

from ngrep.

@tleyden I've pushed changes to the true-up branch, which I think will address this problem.

I'd be grateful if you could confirm this independently. Thanks!

from ngrep.

This issue should be solved in the latest 1.46.1 release.

Please re-open if you observe differently.

from ngrep.

I just built from source on a Mac OS X Mavericks 10.9.5 and observe the following when running

sudo ./ngrep -d lo0 port 8080
interface: lo0 (127.0.0.0/255.0.0.0)
pcap compile: no VLAN support for data link type 0

It does not segfault, but it doesn't work either.

from ngrep.

FWIW, I'm not running into the issue on OSX El Capitan and ngrep: V1.45, $Revision: 1.93 $

from ngrep.