Re: [tcpdump-workers] libpcap-0.6.2: heap corruption in pcap_read_packet()->recvfrom()

Wed, 22 Aug 2001 12:45:03 -0700 

On Tue, 14 Aug 2001, Bill Dodd wrote:

Hi,

Thats bad, as far as I could see this only affects the pcap_open_new(),
we added length-check to pcap_open_old() back in time but forgot
to do it in new function too. Its code-dup which is quite bad,
though. We should do the malloc and length setting in *one* place,
in pcap_open_live() (for live function) not in new and old function.

new and old function should only handle the PACKET_SOCKET vs.
PF_PACKET case IMHO.
Do you agree?

Sebastian

> 
> Howdy,
> 
> I'm getting a core dump running dsniff that appears to be due to
> writing beyond the bounds of a malloced pointer. This is in the
> recvfrom() in pcap_read_packet().
> 
> First, some particulars:
> 
> OS: linux 2.2.19
> libpcap:  0.6.2
> libnids:  1.16
> dsniff:   2.3
>  
> OK, in pcap_read_packet(), there is this code:
> 
>                packet_len = recvfrom(
>                         handle->fd, handle->buffer + offset + handle->offset,
>                         handle->md.readlen - offset, MSG_TRUNC,
>                         (struct sockaddr *) &from, &fromlen);
> 
> handle->buffer was malloced as 2256 bytes (handle->bufsize is 2256), but
> we're telling recvfrom() that the buffer is 16384 (!) bytes long
> (handle->md.readlen is 16384, offset is 0). The recvfrom() is writing
> beyond the 2256 allocated bytes.
> 
> handle->bufsize was determined from (MAX_LINKHEADER_SIZE + mtu). My mtu
> is 2000 and MAX_LINKHEADER_SIZE is 256, so this looks right. And
> handle->md.readlen came from handle->snapshot, which came from
> the snaplen passed to pcap_open_live(). nids_init() from libnids
> called pcap_open_live() with a snaplen of 16384.
> 
> It seems pretty common that snaplen would be bigger than
> (MAX_LINKHEADER_SIZE + mtu), so it looks to me like this should be causing
> heap corruption problems for lots of folks in lots of situations. Since I
> couldn't find any mention of this in the archives, I assume I've got a
> fundamental misunderstanding of what is (supposed to be) going on. Any
> comments or insights appreciated.
> 
> Cheers,
> -bill
> 
> 
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
> 

---
"Please stop the earth. Let me off."
 

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to