bpf_filter() crashes on 64 bit machines with ip6 protochain

[Gregor Maier <gregor () majordomus org>]

Hi,

just wanted to send a ping for this issue here. Any thoughts? Should I
use the sourceforge bug-tracker to submit it?

BTW, sourceforge: I just noticed that the most current libpcap version
of SF is 0.8.1 (and tcpdump is 3.8.1)


cu
gregor

--------------------------------
Hi,
there seems to be a bug when using the "ip6 protochain" filter on 64 bit
machines. When "ip6 protochain" is used on a 64 bit machine and a packet
is received that actually has a chain of headers, then libpcap crashes
with a SEGFAULT.
Protochain needs a loop (backwards jump) which is implemented by using a
huge forward jump offset to force an overflow. This works fine with 32
bit pointers, however it fails with 64 bit pointers. Here's the
problematic code from bpf_filter():
       case BPF_JMP|BPF_JA:
            pc += pc->k;
            continue;
Since pc is a 64 bit pointer, adding a large (32 bit) value to it won't
overflow but will make pc point to invalid memory.

I don't know what the best way to fix this would be, but the following
(not heavily tested) snipped forces the jump offset to a signed integer,
which makes the addition signed and the resulting pointer correct:
--- libpcap-1.1.1.orig/bpf/net/bpf_filter.c     2010-08-30
15:28:19.889856950 -0700
+++ libpcap-1.1.1/bpf/net/bpf_filter.c  2010-08-30 15:40:06.133898175 -0700
@@ -405,7 +405,7 @@
                        continue;
                 case BPF_JMP|BPF_JA:
-                       pc += pc->k;
+                       pc += (bpf_int32)(pc->k);
                        continue;
                 case BPF_JMP|BPF_JGT|BPF_K:



cu
gregor
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.