Arun Vishwanathan
2005-05-02 17:08:07 UTC
Resending ...
-----Original Message-----
From: Arun Vishwanathan
Sent: Sunday, April 24, 2005 1:28 AM
To: '***@securityfocus.com'
Subject: [PATCH]Possible bug in libnet_build_udp.c in libnet 1.1.2.1and
its fix
Hi Mike,
I encountered a possible bug while using libnet_build_udp
(libnet-1.1.2.1) function. I wanted to craft packets to simulate a UDP
datagram being split into multiple IP fragments.
The following function is called first time in my code to build the
first fragment with the UDP header and the subsequent fragments are
built using libnet_build_ipv4.
udp = libnet_build_udp(
p->sport, /* source port */
p->dport, /* destination port */
LIBNET_UDP_H + totlen, /* packet length */
0, /* checksum */
p->payload, /* payload */
p->length, /* payload size */
l, /* libnet handle */
udp); /* libnet id */
if (udp == -1) {
err = libnet_geterror(l);
retval = ERR_BUILD_UDP;
goto bad;
}
In the above function I gave "packet length" as the full UDP datagram
length (unfragmented) and the payload size as the size of the payload in
*this* packet. But this code produced seg fault in the libnet
checksumming function.
A close look at the code in libnet_build_udp.c revealed the problem.
Line55: n = LIBNET_UDP_H + payload_s; /* size of memory block
*/
Line56: h = len; /* header length (for cksum) */
Line105: return (ptag ? ptag : libnet_pblock_update(l, p, h,
LIBNET_PBLOCK_UDP_H));
On line 105 "h" is passed to the called which is subsequently used for
checksum calculation. But actually it is "n" that should be passed
because checksum should be pa.
After making this change the segfaults did not occur and my code worked
:)
I have rectified the mistake and created a patch. The patch adds proper
comments to line 55 and 56 and updates line 105. I hope my thinking is
right. Please let me know in any case.
Please find attached the patch with this mail.
Regards,
Arun
-------------------------------------------------------------
"Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench."
-Gene Spafford
-------------------------------------------------------------
-----Original Message-----
From: Arun Vishwanathan
Sent: Sunday, April 24, 2005 1:28 AM
To: '***@securityfocus.com'
Subject: [PATCH]Possible bug in libnet_build_udp.c in libnet 1.1.2.1and
its fix
Hi Mike,
I encountered a possible bug while using libnet_build_udp
(libnet-1.1.2.1) function. I wanted to craft packets to simulate a UDP
datagram being split into multiple IP fragments.
The following function is called first time in my code to build the
first fragment with the UDP header and the subsequent fragments are
built using libnet_build_ipv4.
udp = libnet_build_udp(
p->sport, /* source port */
p->dport, /* destination port */
LIBNET_UDP_H + totlen, /* packet length */
0, /* checksum */
p->payload, /* payload */
p->length, /* payload size */
l, /* libnet handle */
udp); /* libnet id */
if (udp == -1) {
err = libnet_geterror(l);
retval = ERR_BUILD_UDP;
goto bad;
}
In the above function I gave "packet length" as the full UDP datagram
length (unfragmented) and the payload size as the size of the payload in
*this* packet. But this code produced seg fault in the libnet
checksumming function.
A close look at the code in libnet_build_udp.c revealed the problem.
Line55: n = LIBNET_UDP_H + payload_s; /* size of memory block
*/
Line56: h = len; /* header length (for cksum) */
Line105: return (ptag ? ptag : libnet_pblock_update(l, p, h,
LIBNET_PBLOCK_UDP_H));
On line 105 "h" is passed to the called which is subsequently used for
checksum calculation. But actually it is "n" that should be passed
because checksum should be pa.
After making this change the segfaults did not occur and my code worked
:)
I have rectified the mistake and created a patch. The patch adds proper
comments to line 55 and 56 and updates line 105. I hope my thinking is
right. Please let me know in any case.
Please find attached the patch with this mail.
Regards,
Arun
-------------------------------------------------------------
"Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench."
-Gene Spafford
-------------------------------------------------------------