Date: Sun, 04 Jun 2023 15:08:13 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet Message-ID: <bug-271820-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271820 Bug ID: 271820 Summary: libalias's AliasHandleQuestion() can run off the end of a ppp packet Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242592 text/plain mime type: Created attachment 242592 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242592&action= =3Dedit send ppp -nat a packet that causes AliasHandleQuestion() to run off the end= of a buffer I've attached a program which sends a short packet into ppp -nat, UDP, sport 137 (NetBios NS). The IP and UDP headers that libalias sees: (gdb) print/x *pip $26 =3D {ip_hl =3D 0x0, ip_v =3D 0x0, ip_tos =3D 0x89, ip_len =3D 0x4600, i= p_id =3D 0xffff, ip_off =3D 0xe0, ip_ttl =3D 0xff, ip_p =3D 0x11, ip_sum =3D 0xff7f, ip_src = =3D { s_addr =3D 0xffffff7f}, ip_dst =3D {s_addr =3D 0x7fff7fff}} (gdb) print/x *uh $27 =3D {uh_sport =3D 0x8900, uh_dport =3D 0x4600, uh_ulen =3D 0xffff, uh_s= um =3D 0xe0} What ultimately happens is that libalias/alias_nbt.c's AliasHandleQuestion() thinks the UDP packet is 65536 bytes long, due to uh_ulen, but the actual packet buffer is only 70 bytes long, so AliasHandleQuestion() reads off the end of the packet. That can cause ppp to crash, though it doesn't always. ValidateUdpLength() doesn't reject the crazy uh_ulen because the IP_MF flag is set in ip_off. LibAliasInLocked() doesn't reject the crazy ip_hl of zero; it only checks for ip_hl too large. To see this with the attached program: # cc -g ppp2b.c # gdb a.out (gdb) set follow-fork-mode child (gdb) catch exec (gdb) run ... (gdb) break AliasHandleQuestion (gdb) c ... (gdb) print (char*)pmax - (char*)q $1 =3D 65515 (gdb) up (gdb) print/x pip->ip_len $2 =3D 0x4600 *** 65515 is much bigger than the packet *** (gdb) where #0 AliasHandleQuestion (count=3D32767, q=3D0x801c7114c, pmax=3D0x801c81137= "", nbtarg=3D<optimized out>) at /usr/src/sys/netinet/libalias/alias_nbt.c:426 #1 AliasHandleUdpNbtNS (la=3D<optimized out>, pip=3D0x801c71138, lnk=3D<op= timized out>, alias_address=3D<optimized out>, alias_port=3D<optimized out>, original_address=3D<optimized out>,=20 original_port=3D0x801c7113a) at /usr/src/sys/netinet/libalias/alias_nbt= .c:807 #2 0x00000008010d0ccf in protohandler2in (la=3D<optimized out>, pip=3D0x80= 1c71138, ah=3D<optimized out>) at /usr/src/sys/netinet/libalias/alias_nbt.c:114 #3 0x00000008011306b5 in UdpAliasIn (la=3Dla@entry=3D0x801c1a000, pip=3Dpip@entry=3D0x801c71138) at /usr/src/sys/netinet/libalias/alias.c:786 #4 0x000000080112f93c in LibAliasInLocked (la=3D0x801c1a000, pip=3Dpip@entry=3D0x801c71138, maxpacketsize=3D<optimized out>) at /usr/src/sys/netinet/libalias/alias.c:1364 #5 0x000000080112f787 in LibAliasIn (la=3D0x801c71138, ptr=3D0x7fff, ptr@entry=3D0x801c71138, maxpacketsize=3D0) at /usr/src/sys/netinet/libalias/alias.c:1325 #6 0x0000000001088452 in nat_LayerPull (bundle=3D0x10974b0 <bundle_Create.bundle>, l=3D<optimized out>, bp=3D0x801c71100, proto=3D<opt= imized out>) at /usr/src/usr.sbin/ppp/nat_cmd.c:532 #7 0x0000000001070ff4 in link_PullPacket (l=3D0x801c4d600, buf=3D<optimize= d out>, len=3D<optimized out>, b=3D0x10974b0 <bundle_Create.bundle>) at /usr/src/usr.sbin/ppp/link.c:315 #8 0x000000000104ae25 in bundle_DescriptorRead (d=3D<optimized out>, bundle=3D0x10974b0 <bundle_Create.bundle>, fdset=3D0x801c78140) at /usr/src/usr.sbin/ppp/bundle.c:546 #9 0x0000000001074704 in DoLoop (bundle=3D0x10974b0 <bundle_Create.bundle>= ) at /usr/src/usr.sbin/ppp/main.c:661 #10 main (argc=3D3, argv=3D<optimized out>) at /usr/src/usr.sbin/ppp/main.c= :535 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271820-227>