This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Application sending Router Solicitation packet


----Original Message----
>From: L. D. Marks
>Sent: 06 July 2005 16:15

> I've seen a couple of times a fortran program (g77 compilation under
> cygwin) attempting to send (according to my Sygate Firewall) an ICMP Type
> 10 (Router Solicitation) packet. The latest case wants to send to
> 224.0.0.2 -- I did not keep a record of previous cases. 

  That's a multicast address; specifically, it's the well-known multicast
group for 'all routers'.

> The code contains
> no system calls (certainly nothing tcp or router related), is stable and
> has worked for years compiled on a range of systems. If I ignore what
> the firewall is saying I get another attempt, one from
> c:\cygwin\bin\sh.exe and another from another fortran code.
>
> 
> 1) There are arrays going out of bounds (always possible) which is
> somehow triggering one of the cygwin dll's to send the signal. However,
> this should not happen with two different programs & sh.exe.

  And indeed it would be a fairly implausible coincidence for things to go
wrong in just such a way as to trigger the sending of a packet!
 
> 2) This is an internal bug somewhere in cygwin (I would not know where to
> look), perhaps X.
> 
> 3) There is a conflict between cygwin dll's & sygate (I probably don't
> know what I'm talking about).

  On the face of it I'd assume that sygate is wrong about the source of the
packet.  But perhaps you've managed to get infected with some kind of
spyware/BHO/trojan/whatever that works by injecting a DLL into other
processes and trying to phone home from what it hopes will be an application
with firewall privs.

  What I'd do is wait until you can get this to happen again.  Then, while
the firewall has the requester up and the program is suspended while it's
waiting for you to allow or deny access, quickly fire up gdb or insight and
attach it to the process in question, and see if you can figure out what
thread is doing this and what system calls are involved.  Strace might give
you this info as well, but there's no substitute for actually getting it in
a debugger and _looking_!


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]