tcpdump mailing list archives
bpf_filter() crashes on 64 bit machines with ip6 protochain
From: Gregor Maier <gregor () majordomus org>
Date: Tue, 21 Sep 2010 13:09:16 -0700
Hi, just wanted to send a ping for this issue here. Any thoughts? Should I use the sourceforge bug-tracker to submit it? BTW, sourceforge: I just noticed that the most current libpcap version of SF is 0.8.1 (and tcpdump is 3.8.1) cu gregor -------------------------------- Hi, there seems to be a bug when using the "ip6 protochain" filter on 64 bit machines. When "ip6 protochain" is used on a 64 bit machine and a packet is received that actually has a chain of headers, then libpcap crashes with a SEGFAULT. Protochain needs a loop (backwards jump) which is implemented by using a huge forward jump offset to force an overflow. This works fine with 32 bit pointers, however it fails with 64 bit pointers. Here's the problematic code from bpf_filter(): case BPF_JMP|BPF_JA: pc += pc->k; continue; Since pc is a 64 bit pointer, adding a large (32 bit) value to it won't overflow but will make pc point to invalid memory. I don't know what the best way to fix this would be, but the following (not heavily tested) snipped forces the jump offset to a signed integer, which makes the addition signed and the resulting pointer correct: --- libpcap-1.1.1.orig/bpf/net/bpf_filter.c 2010-08-30 15:28:19.889856950 -0700 +++ libpcap-1.1.1/bpf/net/bpf_filter.c 2010-08-30 15:40:06.133898175 -0700 @@ -405,7 +405,7 @@ continue; case BPF_JMP|BPF_JA: - pc += pc->k; + pc += (bpf_int32)(pc->k); continue; case BPF_JMP|BPF_JGT|BPF_K: cu gregor - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- bpf_filter() crashes on 64 bit machines with ip6 protochain Gregor Maier (Aug 30)
- <Possible follow-ups>
- bpf_filter() crashes on 64 bit machines with ip6 protochain Gregor Maier (Sep 21)
- [Pcap] setsockopt(optval) points to uninitialised byte(s) Luis MartinGarcia. (Sep 22)