Re: [PATCH] Prevent ping{4, 6} to leak stack content when ENABLE_FEATURE_FANCY_PING is on

Tue, 02 Mar 2010 17:01:21 -0800 

Hi Denys,

Denys Vlasenko <[email protected]> writes:

> On Tuesday 02 March 2010 13:56, Arnaud Ebalard wrote:
>> I don't know if this has already been reported but I noticed that the
>> ICMPv6 Echo Request packets generated by busybox ping6 implementation
>> were leaking the content of the stack.
>
> Please show the evidence (tcpdump? strace?).

tcpdump trace in which the echo request of a ping6 -s 1500 ipv6dst
contains (among other things) the result from the DNS resolution for
ipv6dst. 

> Which bbox version and .config?

The one on current version of Nokia N900's busybox:

busybox_1.10.2.legal-1osso26+0m5


>> Below is a patch against current 
>> git tree.
>
> You added memsets to _receive_ buffers, not send ones...
> send buffers are probeply cleared:

You are completely right about my patch: it's crap. I looked at the code
of busybox_1.10.2.legal-1osso26+0m5 which is the following (missing
memset):

#if ENABLE_PING6
static void sendping6(int junk ATTRIBUTE_UNUSED)
{
        struct icmp6_hdr *pkt = alloca(datalen + sizeof(struct icmp6_hdr) + 4);

        pkt->icmp6_type = ICMP6_ECHO_REQUEST;
        pkt->icmp6_code = 0;
        pkt->icmp6_cksum = 0;
        pkt->icmp6_seq = htons(ntransmitted); /* don't ++ here, it can be a 
macro */
        pkt->icmp6_id = myid;

        /*if (datalen >= 4)*/
                *(uint32_t*)(&pkt->icmp6_data8[4]) = monotonic_us();

        sendping_tail(sendping6, pkt, datalen + sizeof(struct icmp6_hdr));
}
#endif

and then cloned busybox git tree some time *later* yesterday with the
intent to fix it but also with the conviction that the buggy functions
were ping4() and ping6(). Sorry for the noise, Denys.

BTW, git annotate gives you credit for correcting the issue 2 years ago: 


commit b34266b42b5f6f78b7346c9ca90caebcd59db345
Author: Denis Vlasenko <[email protected]>
Date:   Tue Apr 29 12:31:53 2008 +0000

    ping: dont leak uninitialized data in ping packets
    
    function                                             old     new   delta
    sendping4                                            176     186     +10
    sendping6                                             93     100      +7

diff --git a/networking/ping.c b/networking/ping.c
index 2991486..c3a7107 100644
--- a/networking/ping.c
+++ b/networking/ping.c
@@ -372,9 +372,10 @@ static void sendping4(int junk ATTRIBUTE_UNUSED)
         * *after* packet. Saves one if() */
        struct icmp *pkt = alloca(datalen + ICMP_MINLEN + 4);
 
+       memset(pkt, 0, datalen + ICMP_MINLEN + 4);
        pkt->icmp_type = ICMP_ECHO;
-       pkt->icmp_code = 0;
-       pkt->icmp_cksum = 0;
+       /*pkt->icmp_code = 0;*/
+       /*pkt->icmp_cksum = 0;*/
        pkt->icmp_seq = htons(ntransmitted); /* don't ++ here, it can be a 
macro */
        pkt->icmp_id = myid;

...

Cheers,

a+
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to