Re: libnids overflow (was Re: dsniff segfaults)

Sun, 29 Jan 2006 11:38:33 -0800 

This update to libnids 1.20 resolves the crashing issues..

Looking at the change log, this entry is most likely what resolved the issue.

- fixed signed/unsigned comparisons; 1.18 could be possibly crashed in tcp
  options parsing (though an unlikely to happen memory layout is required);
  now the source is compiled with -W -Wall


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/libnids/Makefile,v
retrieving revision 1.25
diff -u -p -r1.25 Makefile
--- Makefile    15 Oct 2005 03:21:12 -0000      1.25
+++ Makefile    29 Jan 2006 18:48:22 -0000
@@ -2,11 +2,10 @@
 
 COMMENT=       "network monitoring library with TCP/IP reassembly"
 
-DISTNAME=      libnids-1.18
-PKGNAME=       ${DISTNAME}p1
+DISTNAME=      libnids-1.20
 CATEGORIES=    net
 
-MASTER_SITES=  http://www.packetfactory.net/projects/libnids/dist/
+MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=libnids/}
 
 HOMEPAGE=      http://www.packetfactory.net/projects/libnids/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/libnids/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo    5 Jan 2005 17:14:47 -0000       1.3
+++ distinfo    29 Jan 2006 18:48:22 -0000
@@ -1,4 +1,4 @@
-MD5 (libnids-1.18.tar.gz) = 9ee6dcdfac97bae6fe611aa27d2594a5
-RMD160 (libnids-1.18.tar.gz) = b33ba8237ba0bb31d2515bd5b7552449cfcca8f3
-SHA1 (libnids-1.18.tar.gz) = 3494e614e5e5d2f60f2ffe738307e60e77e04a81
-SIZE (libnids-1.18.tar.gz) = 114013
+MD5 (libnids-1.20.tar.gz) = a36cbd45cbada12420ecc8f82a7e0852
+RMD160 (libnids-1.20.tar.gz) = 896562288dd43cc7789974ee0fd54f9e68e09449
+SHA1 (libnids-1.20.tar.gz) = bafbe6529430cce2496dbb086b17caa0076368e1
+SIZE (libnids-1.20.tar.gz) = 119226
Index: patches/patch-src_libnids_c
===================================================================
RCS file: /cvs/ports/net/libnids/patches/patch-src_libnids_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-src_libnids_c
--- patches/patch-src_libnids_c 15 Oct 2005 03:21:13 -0000      1.1
+++ patches/patch-src_libnids_c 29 Jan 2006 18:48:22 -0000
@@ -1,23 +1,23 @@
 $OpenBSD: patch-src_libnids_c,v 1.1 2005/10/15 03:21:13 brad Exp $
---- src/libnids.c.orig Fri Oct 10 13:41:32 2003
-+++ src/libnids.c      Fri Oct 14 22:58:32 2005
-@@ -198,6 +198,7 @@ static void pcap_hand(u_char * par, stru
-       break;
+--- src/libnids.c.orig Sat Jan 29 05:03:24 2005
++++ src/libnids.c      Sun Jan 29 13:43:53 2006
+@@ -214,6 +214,7 @@ static void pcap_hand(u_char * par, stru
+ #endif
  #ifdef DLT_IEEE802_11
      case DLT_IEEE802_11:
 +    case DLT_IEEE802_11_RADIO:
        /* I don't know why frame control is always little endian, but it 
         * works for tcpdump, so who am I to complain? (wam)
         */
-@@ -441,6 +442,7 @@ int nids_init()
-     switch ((linktype = pcap_datalink(desc))) {
- #ifdef DLT_IEEE802_11
+@@ -462,6 +463,7 @@ int nids_init()
+     case DLT_PRISM_HEADER:
+ #endif
      case DLT_IEEE802_11:
 +    case DLT_IEEE802_11_RADIO:
        /* wireless, need to calculate offset per frame */
        break;
  #endif
-@@ -448,7 +450,12 @@ int nids_init()
+@@ -469,7 +471,12 @@ int nids_init()
      case DLT_NULL:
          linkoffset = 4;
          break;


On Sun, Jan 29, 2006 at 07:15:20PM +0100, Frank Denis (Jedi/Sector One) wrote:
>  Smells bad, this is actually in libnids :
> 
> Program received signal SIGSEGV, Segmentation fault.
> get_ts (this_tcphdr=0x88b48f6c, ts=0x82b69490) at tcp.c:129
> 129             switch (options[ind]) {
> (gdb) bt
> #0  get_ts (this_tcphdr=0x88b48f6c, ts=0x82b69490) at tcp.c:129
> #1  0x1c00aaff in add_new_tcp (this_tcphdr=0x88b48f58, this_iphdr=0xe6)
>    at tcp.c:190
> #2  0x1c00b948 in process_tcp (data=0x88b48f44 "E", skblen=248) at tcp.c:617
> #3  0x1c009ef3 in gen_ip_frag_proc (data=0xf8 <Address 0xf8 out of bounds>, 
>    len=-2010568800) at libnids.c:291
> #4  0x1c009d19 in pcap_hand (par=0x0, hdr=0x88b48f24, 
>    data=0xe6 <Address 0xe6 out of bounds>) at libnids.c:249
> #5  0x0b13e141 in pcap_read (p=0x835ad000, cnt=-1, 
>    callback=0x1c009cd0 <pcap_hand>, user=0x0)
>    at /usr/src/lib/libpcap/pcap-bpf.c:154
> #6  0x0b13e8f1 in pcap_loop (p=0x835ad000, cnt=-1, 
>    callback=0x1c009cd0 <pcap_hand>, user=0x0)
>    at /usr/src/lib/libpcap/pcap.c:76
> #7  0x1c00a3ff in nids_run () at libnids.c:509
> #8  0x1c005f35 in main (argc=0, argv=0x0) at dsniff.c:172
> 
> (gdb) print ind
> $1 = 230
> 
> linids/tcp.c :
> 
>  unsigned char * options = (char*)(this_tcphdr + 1);
>  int ind = 0, ret = 0;
>  while (ind <=  len - sizeof (struct tcphdr) - 10 )
>        switch (options[ind]) {  <=== overflow
>

Reply via email to