[Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 05 Jun 2023 15:58:44 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271820

--- Comment #1 from Robert Morris <rtm@lcs.mit.edu> ---
Also:

The subtract in libalias's ValidateUdpLength() can wrap to an unsigned
huge number if ip_len is less than ip_hl<<2. This causes the two
"dlen < ..." tests to be false, which causes the UDP packet to pass
muster even if uh_ulen is bigger than the packet size.

        size_t dlen;
        dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
        if (dlen < sizeof(struct udphdr))
                return (NULL);
        if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen))
                return (NULL);

So an HDLC frame like this will also cause AliasHandleQuestion() to
read off the end of the packet buffer and perhaps crash.

7e 00 21 72 ff 00 00 ff ff e0 00 ff 11 00 89 39 9f 7a 3d 7f ff ff 7c
11 72 7e

(gdb) print/x *pip
$6 = {ip_hl = 0x2, ip_v = 0x7, ip_tos = 0xff, ip_len = 0x0, ip_id = 0xffff, 
  ip_off = 0xe0, ip_ttl = 0xff, ip_p = 0x11, ip_sum = 0x8900, ip_src = {
    s_addr = 0x3d7a9f39}, ip_dst = {s_addr = 0x7cffff7f}}

(gdb) print/x *ud
$4 = {uh_sport = 0x11ff, uh_dport = 0x8900, uh_ulen = 0x9f39, uh_sum = 0x3d7a}

-- 
You are receiving this mail because:
You are the assignee for the bug.