Re: [tcpdump-workers] Re: a strange bug that I found in pcap compilation

Sat, 21 Jul 2001 23:22:50 -0700 

Guy Harris wrote:
> On Sat, Jul 21, 2001 at 04:08:45PM -0700, Guy Harris wrote:
> > On Sat, Jul 21, 2001 at 03:12:49PM +0000, Giora Engel wrote:
> > > Please try this bigger file.
> >
> > Please try version 0.6.2 of libpcap.  If it crashes only in 0.5,
> > but doesn't crash in 0.6.2,
> 
> I tried backing the fix to the optimizer out of my current-CVS version
> of libpcap, and building tcpdump with that version of libpcap; when I
> ran tcpdump with the huge.txt filter, it crashed, but when I put the fix
> back in, it didn't, which means...
> 
> > it's probably the bug in question,
> 
> ...which, in turn, means you should try applying the patch in my
> previous message to your WinPcap source and recompiling.
> 
> (The patch causes "count_stmts()" to correctly count the number of
> BPF statements a flowgraph would produce; without the patch, it
> undercounts, meaning that the array of instructions allocated by
> "icode_to_fcode()" will be too small - "icode_to_fcode()" is called
> regardless of whether any optimization is done; yes, it could be
> considered confusing that it appears in "optimize.c" - so the problem
> may occur even with no optimization.
> 
> "convert_code_r()" is called from "icode_to_fcode()", and is, in fact,
> storing into that array of instructions, so the bug will, in fact, cause
> it to write past the end of the array, as Purify found it was doing.)

Just to keep the record straight, I found that bug and confirmed that
convert_code_r() was exceeding the bounds of the allocated array using gdb and
groveling, not with Purify. I posted the bug description and a fix to
tcpdump-workers on 2000/10/21 "Apparent problem with optimization and long
jumps". I also speculated that this could be a vector for malicious code, and
I still think has this potential exists in unpatched code, though it may be
extremely difficult to exploit. All the same, I think the fix, since it's
quite simple, ought to be rolled into the WinPcap distribution as a
precaution.

-- 
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to