Full Disclosure mailing list archives
two (not critical) bugs in libnids 1.22
From: "michele dallachiesa" <michele.dallachiesa () gmail com>
Date: Wed, 20 Feb 2008 22:26:28 +0100
hi all, libnids 1.22 has two bugs preventing it to work correctly in 802.11x networks. I and the libnids author have no time to write a patch. After some silent months, I decided to public them so probably someone will do the required fixes and will propose a working patch to the author. for libnids code and contacts: http://libnids.sourceforge.net/ a basic description of the bugs follows. ========== BUG1 ========== in function nids_pcap_handler, you added in version 1.22 the support for DLT_IEEE802_11_RADIO. but it breaks the support for DLT_PRISM_HEADER: when linktype == DLT_PRISM_HEADER, the following code is executed: ---begin--- case DLT_PRISM_HEADER: nids_linkoffset = 144; //sizeof(prism2_hdr); linkoffset_tweaked_by_prism_code = 1;DLT_IEEE802_11_RADIO //now let DLT_IEEE802_11 do the rest #endif #ifdef DLT_IEEE802_11_RADIO case DLT_IEEE802_11_RADIO: // just get rid of the radio tap header nids_linkoffset = 25; // sizeof(radio tap header) linkoffset_tweaked_by_radio_code = 1; //now let DLT_IEEE802_11 do the rest #endif #ifdef DLT_IEEE802_11 case DLT_IEEE802_11: ---end--- nids_linkoffset is set in DLT_PRISM_HEADER but always overwritten in DLT_IEEE802_11_RADIO. ========== BUG2 ========== in function nids_pcap_handler, in DLT_IEEE802_11, you compute erroneously the header size of 802.11 packets with TYPE 0 (Data frame) and SUBTYPE 8 (something for QOS). in this situation, you have 2 extra bytes of header. the following extra check should fix the problem: if (IEEE80211_QOS_HAS_SEQ(wh)) len += sizeof(u_int16_t); this macro comes from: $FreeBSD: src/sys/net80211/ieee80211.h,v 1.9.2.2 2006/08/10 06:07:49 sam Exp $ i did the same for some code i'm writing, it's ok and works well. ========================== bye! -- Michele Dallachiesa 'xenion' http://xenion.antifork.org Antifork Research, Inc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- two (not critical) bugs in libnids 1.22 michele dallachiesa (Feb 20)