Bug#418975: Still an issue with lenny

Fri, 20 Feb 2009 00:15:53 -0800 

Good Morning!

Sam Roberts wrote:

On Thu, Feb 19, 2009 at 12:31 PM, Philipp Kolmann <phil...@kolmann.at> wrote:

Now I did. I have not seen this crash with your patch anymore.


You're just lucky (or unlucky?). :-) What's your machine architecture?

  

Machine arch is amd64.

I applied both your patches to libnet1 src and I don't see the bug anymore.


Thanks for the source. It was easy to reproduce.

Attached is a stand-alone reproduction (put in sample/), and a patch.

The patch contains a printf that should be stripped, but it shows how
without the patch, the ICMP checksum algorithm thinks the end of the
packet is the begining of the IP packet. It uses random data after the
packet as the "ip header length", calculates the checksum over that
garbage, then writes the checksum to what is essentially a random
offset, depending on what it read as that ip header length.

Anyhow, you might want to try the sample code with/without the patch,
to make sure its right.

And now I can see why you though the ip_offset is from the beginning
of the packet. There isn't any aligner with raw link6, and since IPv6
left the ip_offset as zero, and your IPv6 header is always at the
front of the packet, it would look like ip_offset was from the front
of the packet, even though its supposed to be from the back.


with both patches applied:

r...@test33-12:~/test# ./test_ipv6_icmpv4

 tag 1 flags 1 type   icmpv4 echo header/0x6 buf 0x1e49210 b_len 32 
h_len 32 ip_offset 72, copied 32
 tag 2 flags 0 type          ipv6 header/0x2f buf 0x1e49280 b_len 40 
h_len 40 ip_offset 72, copied 40

 link_offset 0 aligner 0 total_size 72 nblocks 2
pkt 0x1e492b0 aligner 0 totalsize 72 tag 1 ip_offset 72 h_len 32

00      0060 0000 2000 ff3a 6666 6666 6666 6666
10      6666 6666 6666 6666 0000 0000 0000 0000
20      0000 0000 0000 0100

00      0088 eef6 0020 0000 6666 6666 6666 6666
10      6666 6666 6666 6666 0102 0c00 da29 67ce
pkt 0x1e492b0 aligner 0 totalsize 72 tag 1 ip_offset 72 h_len 32



without your last patch:

This GDB was configured as "x86_64-linux-gnu"...
(gdb) run
Starting program: /root/test/test_ipv6_icmpv4

 tag 1 flags 1 type   icmpv4 echo header/0x6 buf 0x206f210 b_len 32 
h_len 32 ip_offset  0, copied 32
 tag 2 flags 0 type          ipv6 header/0x2f buf 0x206f280 b_len 40 
h_len 40 ip_offset  0, copied 40

 link_offset 0 aligner 0 total_size 72 nblocks 2

00      0060 0000 2000 ff3a 6666 6666 6666 6666
10      6666 6666 6666 6666 0000 0000 0000 0000
20      0000 0000 0000 0100

00      0088 0000 0020 0000 6666 6666 6666 6666
10      6666 6666 6666 6666 0102 0c00 da29 67ce

*** glibc detected *** /root/test/test_ipv6_icmpv4: free(): invalid next 
size (fast): 0x000000000206f2b0 ***

======= Backtrace: =========
/lib/libc.so.6[0x7f858b678948]
/lib/libc.so.6(cfree+0x76)[0x7f858b67aa56]
/root/test/test_ipv6_icmpv4[0x400e89]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f858b6231a6]
/root/test/test_ipv6_icmpv4[0x4009f9]
======= Memory map: ========

00400000-00402000 r-xp 00000000 08:01 10069                              
/root/test/test_ipv6_icmpv4
00601000-00602000 rw-p 00001000 08:01 10069                              
/root/test/test_ipv6_icmpv4
0206f000-02090000 rw-p 0206f000 00:00 0                                  
[heap]

7f8584000000-7f8584021000 rw-p 7f8584000000 00:00 0
7f8584021000-7f8588000000 ---p 7f8584021000 00:00 0

7f858b3ee000-7f858b404000 r-xp 00000000 08:01 24572                      
/lib/libgcc_s.so.1
7f858b404000-7f858b604000 ---p 00016000 08:01 24572                      
/lib/libgcc_s.so.1
7f858b604000-7f858b605000 rw-p 00016000 08:01 24572                      
/lib/libgcc_s.so.1
7f858b605000-7f858b74f000 r-xp 00000000 08:01 24546                      
/lib/libc-2.7.so
7f858b74f000-7f858b94e000 ---p 0014a000 08:01 24546                      
/lib/libc-2.7.so
7f858b94e000-7f858b951000 r--p 00149000 08:01 24546                      
/lib/libc-2.7.so
7f858b951000-7f858b953000 rw-p 0014c000 08:01 24546                      
/lib/libc-2.7.so

7f858b953000-7f858b958000 rw-p 7f858b953000 00:00 0

7f858b958000-7f858b96d000 r-xp 00000000 08:01 65645                      
/usr/lib/libnet.so.1.3.0
7f858b96d000-7f858bb6d000 ---p 00015000 08:01 65645                      
/usr/lib/libnet.so.1.3.0
7f858bb6d000-7f858bb6e000 rw-p 00015000 08:01 65645                      
/usr/lib/libnet.so.1.3.0

7f858bb6e000-7f858bb70000 rw-p 7f858bb6e000 00:00 0

7f858bb70000-7f858bb8c000 r-xp 00000000 08:01 24549                      
/lib/ld-2.7.so

7f858bd80000-7f858bd82000 rw-p 7f858bd80000 00:00 0
7f858bd87000-7f858bd8b000 rw-p 7f858bd87000 00:00 0

7f858bd8b000-7f858bd8d000 rw-p 0001b000 08:01 24549                      
/lib/ld-2.7.so
7fff93d78000-7fff93d8d000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff93dff000-7fff93e00000 r-xp 7fff93dff000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]


Program received signal SIGABRT, Aborted.
0x00007f858b636ed5 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007f858b636ed5 in raise () from /lib/libc.so.6
#1  0x00007f858b6383f3 in abort () from /lib/libc.so.6
#2  0x00007f858b6733a8 in __libc_message () from /lib/libc.so.6
#3  0x00007f858b678948 in malloc_printerr () from /lib/libc.so.6
#4  0x00007f858b67aa56 in free () from /lib/libc.so.6
#5  0x0000000000400e89 in main ()
(gdb)

So it seems with your test example the problem is fixed for me as well.
Thanks
Philipp

PS: David, any chance to get this fix into 5.0.1? Thanks



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org























					Reply via email to