From nobody Sun Jun 4 15:08:13 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QZ0VQ14nFz4ZBMb for ; Sun, 4 Jun 2023 15:08:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QZ0VP5bbHz3lbD for ; Sun, 4 Jun 2023 15:08:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685891293; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mS+uaPCBkPd8weIZXovv5pXM2px46koBa2ghDghuInE=; b=kdiwQMFHaCGpqBQ63ntUt+Tvg1xgJK3xldnTq4UnFWYqCJKjcgOIIXeRSHjAADeFbcZ9fk bWZqzHG7IJx/bi+GP9rwIqL6jCeubwP80liiyJfZLv+V78M3bBbURjZGyzkBXfzG1VyP/x mzZcz2fbvYbs+1UNszW0hXgMqCwJ5muU42jQoKmKDUC5ZMPRcMYkqziL9Ar3D5j+Z1abRo SBJoB94UtVR+u0q4em8wxMZp9unnDklHt+yMmrnEr0w4kD6o4HS0TYA+360R0esE6hV6hv 8w/+ukYsNp9sIzFSQr/IPE/5E+51rSjDFk1xKNOebj7H9wj8Jiw4roKzWByBtg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685891293; a=rsa-sha256; cv=none; b=LE+r6+h2w375UaKc2CcFLZO7C+Wlqz92D7XDqMzkQLXJm3W/fFnafccjrhsxftn0S4WDfQ o93JFaIzlp/aaXCW0+bkLxBYCBavH8Ilgg0xff3Whipj2aUg5RaBU2/Zy6nhCJJzAkbC+T 4sRZcxoL1LofXDBq4TojBBB0jKYJ+5FfaJRXFBxlyIwzXAJ909h7JK4r9Ww00mdiRAZJzB EMDfu0HUeNTgP/Usb6xDiPH8Zc7KH8wTaNgSgJx/R2B4F7srmqriMPgOclbae1htBrhMxG ZVKjGosG7uGMHUdiROu3EDfeVOtKeKZy8t99F9D/BBg3bFaJlJu45ofVTIJJjQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QZ0VP4PWzz1B1S for ; Sun, 4 Jun 2023 15:08:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 354F8DiD088931 for ; Sun, 4 Jun 2023 15:08:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 354F8Dpa088930 for bugs@FreeBSD.org; Sun, 4 Jun 2023 15:08:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet Date: Sun, 04 Jun 2023 15:08:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.mimetype attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271820 Bug ID: 271820 Summary: libalias's AliasHandleQuestion() can run off the end of a ppp packet Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242592 text/plain mime type: Created attachment 242592 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242592&action= =3Dedit send ppp -nat a packet that causes AliasHandleQuestion() to run off the end= of a buffer I've attached a program which sends a short packet into ppp -nat, UDP, sport 137 (NetBios NS). The IP and UDP headers that libalias sees: (gdb) print/x *pip $26 =3D {ip_hl =3D 0x0, ip_v =3D 0x0, ip_tos =3D 0x89, ip_len =3D 0x4600, i= p_id =3D 0xffff, ip_off =3D 0xe0, ip_ttl =3D 0xff, ip_p =3D 0x11, ip_sum =3D 0xff7f, ip_src = =3D { s_addr =3D 0xffffff7f}, ip_dst =3D {s_addr =3D 0x7fff7fff}} (gdb) print/x *uh $27 =3D {uh_sport =3D 0x8900, uh_dport =3D 0x4600, uh_ulen =3D 0xffff, uh_s= um =3D 0xe0} What ultimately happens is that libalias/alias_nbt.c's AliasHandleQuestion() thinks the UDP packet is 65536 bytes long, due to uh_ulen, but the actual packet buffer is only 70 bytes long, so AliasHandleQuestion() reads off the end of the packet. That can cause ppp to crash, though it doesn't always. ValidateUdpLength() doesn't reject the crazy uh_ulen because the IP_MF flag is set in ip_off. LibAliasInLocked() doesn't reject the crazy ip_hl of zero; it only checks for ip_hl too large. To see this with the attached program: # cc -g ppp2b.c # gdb a.out (gdb) set follow-fork-mode child (gdb) catch exec (gdb) run ... (gdb) break AliasHandleQuestion (gdb) c ... (gdb) print (char*)pmax - (char*)q $1 =3D 65515 (gdb) up (gdb) print/x pip->ip_len $2 =3D 0x4600 *** 65515 is much bigger than the packet *** (gdb) where #0 AliasHandleQuestion (count=3D32767, q=3D0x801c7114c, pmax=3D0x801c81137= "", nbtarg=3D) at /usr/src/sys/netinet/libalias/alias_nbt.c:426 #1 AliasHandleUdpNbtNS (la=3D, pip=3D0x801c71138, lnk=3D, alias_address=3D, alias_port=3D, original_address=3D,=20 original_port=3D0x801c7113a) at /usr/src/sys/netinet/libalias/alias_nbt= .c:807 #2 0x00000008010d0ccf in protohandler2in (la=3D, pip=3D0x80= 1c71138, ah=3D) at /usr/src/sys/netinet/libalias/alias_nbt.c:114 #3 0x00000008011306b5 in UdpAliasIn (la=3Dla@entry=3D0x801c1a000, pip=3Dpip@entry=3D0x801c71138) at /usr/src/sys/netinet/libalias/alias.c:786 #4 0x000000080112f93c in LibAliasInLocked (la=3D0x801c1a000, pip=3Dpip@entry=3D0x801c71138, maxpacketsize=3D) at /usr/src/sys/netinet/libalias/alias.c:1364 #5 0x000000080112f787 in LibAliasIn (la=3D0x801c71138, ptr=3D0x7fff, ptr@entry=3D0x801c71138, maxpacketsize=3D0) at /usr/src/sys/netinet/libalias/alias.c:1325 #6 0x0000000001088452 in nat_LayerPull (bundle=3D0x10974b0 , l=3D, bp=3D0x801c71100, proto=3D) at /usr/src/usr.sbin/ppp/nat_cmd.c:532 #7 0x0000000001070ff4 in link_PullPacket (l=3D0x801c4d600, buf=3D, len=3D, b=3D0x10974b0 ) at /usr/src/usr.sbin/ppp/link.c:315 #8 0x000000000104ae25 in bundle_DescriptorRead (d=3D, bundle=3D0x10974b0 , fdset=3D0x801c78140) at /usr/src/usr.sbin/ppp/bundle.c:546 #9 0x0000000001074704 in DoLoop (bundle=3D0x10974b0 = ) at /usr/src/usr.sbin/ppp/main.c:661 #10 main (argc=3D3, argv=3D) at /usr/src/usr.sbin/ppp/main.c= :535 --=20 You are receiving this mail because: You are the assignee for the bug.=