Package: libnet1
Version: 1.1.2.1-2
Severity: important
Tags: patch
Hi,
while investigating #418749 and #417835 I discovered that
libnet_do_checksum() seems to be accessing unalocated memory.
The problem seems to stem libnet_pblock_coalesce(), which passes
buf + offset, where offset is calculated to be
(l->total_size + l->aligner) - q->ip_offset. However, in the usage
case that I see q->ip_offset is always zero, and as buf
is mallocked to be l->total_size + l->aligner bytes long earlier in
libnet_pblock_coalesce(), unallocated memory is passed to the
libnet_do_checksum() call.
Poking around a bit, it seems that the memory is also uninitialised.
I'm not sure what the correct fix is, but I wonder if offset
should actually be l->aligner + q->ip_offset. This certainly
solves the problem that was reported in #418749 and #417835.
But as both l->aligner and q->ip_offset are zero I am not sure if
it is correct in the general case.
--- libnet-1.1.2.1-wip.orig/src/libnet_pblock.c 2007-04-13 14:46:34.000000000
+0900
+++ libnet-1.1.2.1-wip/src/libnet_pblock.c 2007-04-13 14:46:58.000000000
+0900
@@ -389,7 +389,7 @@
{
if ((q->flags) & LIBNET_PBLOCK_DO_CHECKSUM)
{
- int offset = (l->total_size + l->aligner) - q->ip_offset;
+ int offset = l->aligner + q->ip_offset;
c = libnet_do_checksum(l, *packet + offset,
libnet_pblock_p2p(q->type), q->h_len);
if (c == -1)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (190, 'unstable'), (180, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.utf8, LC_CTYPE=ja_JP.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to ja_JP.utf8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnet1 depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
libnet1 recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
