From nobody Mon Jun 05 15:58:44 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QZdZF1tvhz4Z62x for ; Mon, 5 Jun 2023 15:58:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QZdZF0dNpz4JfK for ; Mon, 5 Jun 2023 15:58:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685980725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dne0zRJ1lUtzpAGr1cEv0PYFPrwUq4rlJMpf1EEN7Dk=; b=EyQx+KuhhiFNsNJhZOVpEv3kie+r7us3k7OU3kNHvlC/6oBXVUPS3piIjdTonEpHmpjeXM Lyy0AGUyQtGsm6Lbkr+WunDLMed2SO0IooSNk7n2KdZan+8RjDvy0Db+ohtHEn+XY1G4zs bLg2Rh/QOAsjf2Ay8MqtvxuN7rgRG8v8WtW7RJCvBHl0NYdgKG9AO83P6+YPt4vdAOMkLg V64dLBRs5EoorY0PRDyOcLdKWl5sevzzwbFx8RTxsGUIPb0lEPNPRSQqAuZ5tBoD7YpkkI F5P5J3hXkCP6621Vv/AGqMf9pxyAr3wAZk3FhAMzn2mtFov3n6HwOxM5uWCI/Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685980725; a=rsa-sha256; cv=none; b=UvUmX2DXbmJXGMDhtZao4XL6r6uGHHUBIj1NhTL2KpbJXHhhpsEF65pqSg43FUHquLvLRa X6nUDgUtUAIFNwpqfvLuRpsppLD2LhLUx6ZHpax7FYC2z0IkMoUAK0owgj/TUza3lFP3NZ 0cyu5mOa/tCOGZ1y/tfMZbyrESfix/MHL9GAVUcP4K1xT8i055+6uuZu8ZwimjAfzcjdWw bBzWeRkuJ2UoR4ZdrjweHNqspyXEY60yOapys6YkyPoJtLQ18aXpx4Kp8qmAD2uMIKGBGU 7dm7FDj/fJ+B6rc6JueETYr6z5E7qiL2ukTWZW2CIMm4bIXvv0PMJO/e1sOO5w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QZdZD6gMDztgV for ; Mon, 5 Jun 2023 15:58:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 355FwiLo089392 for ; Mon, 5 Jun 2023 15:58:44 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 355FwijM089391 for bugs@FreeBSD.org; Mon, 5 Jun 2023 15:58:44 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271820] libalias's AliasHandleQuestion() can run off the end of a ppp packet Date: Mon, 05 Jun 2023 15:58:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271820 --- Comment #1 from Robert Morris --- Also: The subtract in libalias's ValidateUdpLength() can wrap to an unsigned huge number if ip_len is less than ip_hl<<2. This causes the two "dlen < ..." tests to be false, which causes the UDP packet to pass muster even if uh_ulen is bigger than the packet size. size_t dlen; dlen =3D ntohs(pip->ip_len) - (pip->ip_hl << 2); if (dlen < sizeof(struct udphdr)) return (NULL); if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen)) return (NULL); So an HDLC frame like this will also cause AliasHandleQuestion() to read off the end of the packet buffer and perhaps crash. 7e 00 21 72 ff 00 00 ff ff e0 00 ff 11 00 89 39 9f 7a 3d 7f ff ff 7c 11 72 7e (gdb) print/x *pip $6 =3D {ip_hl =3D 0x2, ip_v =3D 0x7, ip_tos =3D 0xff, ip_len =3D 0x0, ip_id= =3D 0xffff,=20 ip_off =3D 0xe0, ip_ttl =3D 0xff, ip_p =3D 0x11, ip_sum =3D 0x8900, ip_sr= c =3D { s_addr =3D 0x3d7a9f39}, ip_dst =3D {s_addr =3D 0x7cffff7f}} (gdb) print/x *ud $4 =3D {uh_sport =3D 0x11ff, uh_dport =3D 0x8900, uh_ulen =3D 0x9f39, uh_su= m =3D 0x3d7a} --=20 You are receiving this mail because: You are the assignee for the bug.=