Howdy,
I'm getting a core dump running dsniff that appears to be due to
writing beyond the bounds of a malloced pointer. This is in the
recvfrom() in pcap_read_packet().
First, some particulars:
OS: linux 2.2.19
libpcap: 0.6.2
libnids: 1.16
dsniff: 2.3
OK, in pcap_read_packet(), there is this code:
packet_len = recvfrom(
handle->fd, handle->buffer + offset + handle->offset,
handle->md.readlen - offset, MSG_TRUNC,
(struct sockaddr *) &from, &fromlen);
handle->buffer was malloced as 2256 bytes (handle->bufsize is 2256), but
we're telling recvfrom() that the buffer is 16384 (!) bytes long
(handle->md.readlen is 16384, offset is 0). The recvfrom() is writing
beyond the 2256 allocated bytes.
handle->bufsize was determined from (MAX_LINKHEADER_SIZE + mtu). My mtu
is 2000 and MAX_LINKHEADER_SIZE is 256, so this looks right. And
handle->md.readlen came from handle->snapshot, which came from
the snaplen passed to pcap_open_live(). nids_init() from libnids
called pcap_open_live() with a snaplen of 16384.
It seems pretty common that snaplen would be bigger than
(MAX_LINKHEADER_SIZE + mtu), so it looks to me like this should be causing
heap corruption problems for lots of folks in lots of situations. Since I
couldn't find any mention of this in the archives, I assume I've got a
fundamental misunderstanding of what is (supposed to be) going on. Any
comments or insights appreciated.
Cheers,
-bill
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
