Date: Mon, 05 Jun 2023 15:58:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet Message-ID: <bug-271820-227-u5IVAWT3Q6@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-271820-227@https.bugs.freebsd.org/bugzilla/> References: <bug-271820-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271820 --- Comment #1 from Robert Morris <rtm@lcs.mit.edu> --- Also: The subtract in libalias's ValidateUdpLength() can wrap to an unsigned huge number if ip_len is less than ip_hl<<2. This causes the two "dlen < ..." tests to be false, which causes the UDP packet to pass muster even if uh_ulen is bigger than the packet size. size_t dlen; dlen =3D ntohs(pip->ip_len) - (pip->ip_hl << 2); if (dlen < sizeof(struct udphdr)) return (NULL); if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen)) return (NULL); So an HDLC frame like this will also cause AliasHandleQuestion() to read off the end of the packet buffer and perhaps crash. 7e 00 21 72 ff 00 00 ff ff e0 00 ff 11 00 89 39 9f 7a 3d 7f ff ff 7c 11 72 7e (gdb) print/x *pip $6 =3D {ip_hl =3D 0x2, ip_v =3D 0x7, ip_tos =3D 0xff, ip_len =3D 0x0, ip_id= =3D 0xffff,=20 ip_off =3D 0xe0, ip_ttl =3D 0xff, ip_p =3D 0x11, ip_sum =3D 0x8900, ip_sr= c =3D { s_addr =3D 0x3d7a9f39}, ip_dst =3D {s_addr =3D 0x7cffff7f}} (gdb) print/x *ud $4 =3D {uh_sport =3D 0x11ff, uh_dport =3D 0x8900, uh_ulen =3D 0x9f39, uh_su= m =3D 0x3d7a} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271820-227-u5IVAWT3Q6>