From nobody Fri Mar 29 18:54:36 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5qMd0GJGz5FT9V for ; Fri, 29 Mar 2024 18:54:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5qMc45Ljz4vCc for ; Fri, 29 Mar 2024 18:54:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711738476; a=rsa-sha256; cv=none; b=HMam+Bt8H5EvG68nSHw0wKkIu5J6Jivh4mAHKwUh9Ce34q25KPnmhc2r5BJZU/mNgOWI/A y58LM8u28JlnNBU7+6Y8yklLBdd6nx7chY8g/x7BcFkEbFWsslri8d3v9PHZ9JB3GL6iDW ZEVFqrslIT4GRtr7aODZD3cTwRlpsFQU/VOuifYgenl7WVwEBOL/ED23pXC0IXozjb5WN2 O6aLW4+lERIFLJIRz5KlJZQvCRSZuS3WhbOYEBX4Nmr1Y9sjcFtNI/rls0+d72laYl7bH5 bJmz6IyxAfqjvOjGAhe6IijEVPlnwOQVpHuFNgR3LhP3lVmDwx25e8e78pWctA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711738476; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ubRZNzrognr1YzYDEd/8MYTEg4dnKhZHnrwrGdqKRpU=; b=E5MwQIJpjknh+ZNGUaAk7EjdMUY0bO9XEaSHrLMkDCDsQb4gnyrj8MmJgJqQtuPM8+Ajwv MewEji5Fgp7tInkQ4ibZET/0fphDviUNRqKj30VbkaYlRdZpJcmnvEDpR9Ra7KWMw44NFK AAtIPcgWS3iZWILKoUTmhoa+UwnR1sQwPsdV/BkjjOQ5u9byF3fnF6HY4ST4OKaYIo5p8d iAI+ewOCkgwpQPsKBKRCyASln6wDOF0hjrfUn4movtAaP2y0OGnePmIcuJ5A5Y9h8xkUVE nwM0/0NduLt0dPAOvAKGoB1pCiTtSfvEy3V3XIhkzVprOBw0f68SPyFnui8nAw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V5qMc3JQmzMdb for ; Fri, 29 Mar 2024 18:54:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 42TIsalu082794 for ; Fri, 29 Mar 2024 18:54:36 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 42TIsaUS082793 for bugs@FreeBSD.org; Fri, 29 Mar 2024 18:54:36 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278034] tcpdump's ip6_print can read beyond buffer end Date: Fri, 29 Mar 2024 18:54:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278034 Bug ID: 278034 Summary: tcpdump's ip6_print can read beyond buffer end Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249560 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249560&action= =3Dedit a packet trace file that causes tcpdump to read beyond the end of a buffer = in pfsync_print() tcpdump's ip6_print() is passed the real length of the packet buffer in the length argument. It pulls len from the packet header: payload_len =3D GET_BE_U_2(ip6->ip6_plen); if (payload_len !=3D 0) { len =3D payload_len + sizeof(struct ip6_hdr); if (length < len) ND_PRINT("truncated-ip6 - %u bytes missing!", len - length); If the header's claimed length is greater than the buffer size, tcpdump prints a warning but then continues. Later len (rather than length) is passed to ip_demux_print(): ip_demux_print(ndo, cp, len, 6, fragmented, GET_U_1(ip6->ip6_hlim), nh, bp); and is used by some of the functions it calls as the buffer length. For example, pfsync_print() uses this len as the limit for how far it looks into the buffer: while (plen > 0) { if (len < sizeof(*subh)) break; ...; len -=3D sizeof(*subh); Since this len was pulled from the packet, a broken packet can cause a read overrun. I've attached a demo packet that causes pfsync_print() to read past the end of the buffer. You may need an address sanitizer or valgrind to see the problem. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #20 main-n268970-619e6f1f9288: Sat Mar 23 16:25:40 AST 2024=20=20=20=20 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # tcpdump --version tcpdump version 4.99.4 libpcap version 1.10.4 OpenSSL 3.0.13 30 Jan 2024 # valgrind tcpdump -v -v -n -r - -K < tcpdump43a.dat ... =3D=3D9292=3D=3D Invalid read of size 2 =3D=3D9292=3D=3D at 0x22C90E: pfsync_print (src/contrib/tcpdump/print-pf= sync.c:168) =3D=3D9292=3D=3D by 0x1C40EE: ip6_print (src/contrib/tcpdump/print-ip6.c= :487) =3D=3D9292=3D=3D by 0x1B56BD: ethertype_print (src/contrib/tcpdump/print-ether.c:628) =3D=3D9292=3D=3D by 0x1B5121: ether_common_print (src/contrib/tcpdump/print-ether.c:391) =3D=3D9292=3D=3D by 0x1B5213: ether_print (src/contrib/tcpdump/print-eth= er.c:448) =3D=3D9292=3D=3D by 0x1B5213: ether_if_print (src/contrib/tcpdump/print-= ether.c:464) =3D=3D9292=3D=3D by 0x18C30E: pretty_print_packet (src/contrib/tcpdump/p= rint.c:417) =3D=3D9292=3D=3D by 0x225D00: print_packet (src/contrib/tcpdump/tcpdump.= c:3139) =3D=3D9292=3D=3D by 0x48ACC9D: pcap_offline_read (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AB248: pcap_loop (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x2240AC: main (src/contrib/tcpdump/tcpdump.c:2581) =3D=3D9292=3D=3D Address 0x5a3ce90 is 0 bytes after a block of size 1,024 = alloc'd =3D=3D9292=3D=3D at 0x484CDB4: malloc (vg_replace_malloc.c:446) =3D=3D9292=3D=3D by 0x48AF550: pcap_check_header (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AC9E2: pcap_fopen_offline_with_tstamp_precision = (in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x48AC8DD: pcap_open_offline_with_tstamp_precision (= in /lib/libpcap.so.8) =3D=3D9292=3D=3D by 0x2235EF: main (src/contrib/tcpdump/tcpdump.c:2079) --=20 You are receiving this mail because: You are the assignee for the bug.=