Discussion:
Bug#418975: Buffer overrun in libnet_pblock_coalesce
Simon Horman
2007-04-26 04:03:39 UTC
Permalink
Hi,

While investigating a bug[1][2] in code which makes use of
libnet I found what seems to be a buffer overrun in libnet_pblock_coalesce()
which results in a crash on x86_64 (but curiously not i386).

[1] http://bugs.debian.org/418749
[2] http://bugs.debian.org/417835

The problem seems to stem libnet_pblock_coalesce(), which passes
buf + offset, where offset is calculated to be
(l->total_size + l->aligner) - q->ip_offset. However, in the usage
case that I see q->ip_offset is always zero, and as buf
is mallocked to be l->total_size + l->aligner bytes long earlier in
libnet_pblock_coalesce(), unallocated memory is passed to the
libnet_do_checksum() call.

Poking around a bit, it seems that the memory is also uninitialised.
I'm not sure what the correct fix is, but I wonder if offset
should actually be l->aligner + q->ip_offset. This certainly
solves the problem that was reported in #418749 and #417835.
But as both l->aligner and q->ip_offset are zero I am not sure if
it is correct in the general case.

--- libnet-1.1.2.1-wip.orig/src/libnet_pblock.c 2007-04-13 14:46:34.000000000 +0900
+++ libnet-1.1.2.1-wip/src/libnet_pblock.c 2007-04-13 14:46:58.000000000 +0900
@@ -389,7 +389,7 @@
{
if ((q->flags) & LIBNET_PBLOCK_DO_CHECKSUM)
{
- int offset = (l->total_size + l->aligner) - q->ip_offset;
+ int offset = l->aligner + q->ip_offset;
c = libnet_do_checksum(l, *packet + offset,
libnet_pblock_p2p(q->type), q->h_len);
if (c == -1)

For reference this problem is also recorded as debian bug 418975[3],
and you can add information to that bug by simply sending email
to ***@bugs.debian.org.

[3] http://bugs.debian.org/418975
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
Loading...