Date: Fri, 29 Mar 2024 18:54:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278034] tcpdump's ip6_print can read beyond buffer end Message-ID: <bug-278034-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278034 Bug ID: 278034 Summary: tcpdump's ip6_print can read beyond buffer end Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249560 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249560&action= =3Dedit a packet trace file that causes tcpdump to read beyond the end of a buffer = in pfsync_print() tcpdump's ip6_print() is passed the real length of the packet buffer in the length argument. It pulls len from the packet header: payload_len =3D GET_BE_U_2(ip6->ip6_plen); if (payload_len !=3D 0) { len =3D payload_len + sizeof(struct ip6_hdr); if (length < len) ND_PRINT("truncated-ip6 - %u bytes missing!", len - length); If the header's claimed length is greater than the buffer size, tcpdump prints a warning but then continues. Later len (rather than length) is passed to ip_demux_print(): ip_demux_print(ndo, cp, len, 6, fragmented, GET_U_1(ip6->ip6_hlim), nh, bp); and is used by some of the functions it calls as the buffer length. For example, pfsync_print() uses this len as the limit for how far it looks into the buffer: while (plen > 0) { if (len < sizeof(*subh)) break; ...; len -=3D sizeof(*subh); Since this len was pulled from the packet, a broken packet can cause a read overrun. I've attached a demo packet that causes pfsync_print() to read past the end of the buffer. You may need an address sanitizer or valgrind to see the problem. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #20 main-n268970-619e6f1f9288: Sat Mar 23 16:25:40 AST 2024=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # tcpdump --version tcpdump version 4.99.4 libpcap version 1.10.4 OpenSSL 3.0.13 30 Jan 2024 # valgrind tcpdump -v -v -n -r - -K < tcpdump43a.dat ... =3D=3D9292=3D=3D Invalid read of size 2 =3D=3D9292=3D=3D at 0x22C90E: pfsync_print (src/contrib/tcpdump/print-pf= sync.c:168) =3D=3D9292=3D=3D by 0x1C40EE: ip6_print (src/contrib/tcpdump/print-ip6.c= :487) =3D=3D9292=3D=3D by 0x1B56BD: ethertype_print (src/contrib/tcpdump/print-ether.c:628) =3D=3D9292=3D=3D by 0x1B5121: ether_common_print (src/contrib/tcpdump/print-ether.c:391) =3D=3D9292=3D=3D by 0x1B5213: ether_print (src/contrib/tcpdump/print-eth= er.c:448) =3D=3D9292=3D=3D by 0x1B5213: ether_if_print (src/contrib/tcpdump/print-= ether.c:464) =3D=3D9292=3D=3D by 0x18C30E: pretty_print_packet (src/contrib/tcpdump/p= rint.c:417) =3D=3D9292=3D=3D by 0x225D00: print_packet (src/contrib/tcpdump/tcpdump.= c:3139) =3D=3D9292=3D=3D by 0x48ACC9D: pcap_offline_read (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AB248: pcap_loop (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x2240AC: main (src/contrib/tcpdump/tcpdump.c:2581) =3D=3D9292=3D=3D Address 0x5a3ce90 is 0 bytes after a block of size 1,024 = alloc'd =3D=3D9292=3D=3D at 0x484CDB4: malloc (vg_replace_malloc.c:446) =3D=3D9292=3D=3D by 0x48AF550: pcap_check_header (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AC9E2: pcap_fopen_offline_with_tstamp_precision = (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AC8DD: pcap_open_offline_with_tstamp_precision (= in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x2235EF: main (src/contrib/tcpdump/tcpdump.c:2079) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-278034-227>