delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2005/07/06/11:22:35

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
Subject: RE: Application sending Router Solicitation packet
Date: Wed, 6 Jul 2005 16:22:08 +0100
MIME-Version: 1.0
In-Reply-To: <Pine.GHP.4.58.0507060921230.29097@risc4.numis.northwestern.edu.edu>
Message-ID: <SERRANOiqLQxDqoN1sh000003f1@SERRANO.CAM.ARTIMI.COM>
Note-from-DJ: This may be spam 

----Original Message----
>From: L. D. Marks
>Sent: 06 July 2005 16:15

> I've seen a couple of times a fortran program (g77 compilation under
> cygwin) attempting to send (according to my Sygate Firewall) an ICMP Type
> 10 (Router Solicitation) packet. The latest case wants to send to
> 224.0.0.2 -- I did not keep a record of previous cases. 

  That's a multicast address; specifically, it's the well-known multicast
group for 'all routers'.

> The code contains
> no system calls (certainly nothing tcp or router related), is stable and
> has worked for years compiled on a range of systems. If I ignore what
> the firewall is saying I get another attempt, one from
> c:\cygwin\bin\sh.exe and another from another fortran code.
>
> 
> 1) There are arrays going out of bounds (always possible) which is
> somehow triggering one of the cygwin dll's to send the signal. However,
> this should not happen with two different programs & sh.exe.

  And indeed it would be a fairly implausible coincidence for things to go
wrong in just such a way as to trigger the sending of a packet!
 
> 2) This is an internal bug somewhere in cygwin (I would not know where to
> look), perhaps X.
> 
> 3) There is a conflict between cygwin dll's & sygate (I probably don't
> know what I'm talking about).

  On the face of it I'd assume that sygate is wrong about the source of the
packet.  But perhaps you've managed to get infected with some kind of
spyware/BHO/trojan/whatever that works by injecting a DLL into other
processes and trying to phone home from what it hopes will be an application
with firewall privs.

  What I'd do is wait until you can get this to happen again.  Then, while
the firewall has the requester up and the program is suspended while it's
waiting for you to allow or deny access, quickly fire up gdb or insight and
attach it to the process in question, and see if you can figure out what
thread is doing this and what system calls are involved.  Strace might give
you this info as well, but there's no substitute for actually getting it in
a debugger and _looking_!


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019