From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: Re: [B.A.T.M.A.N.] [PATCHv5] batctl: tcpdump - parse TVLV containers
Date: Wed, 12 Nov 2014 10:26:24 +0100 [thread overview]
Message-ID: <5267417.3ygrW54Np4@bentobox> (raw)
In-Reply-To: <2091412.EK1SUSK0CW@sven-edge>
[-- Attachment #1: Type: text/plain, Size: 3776 bytes --]
On Tuesday 11 November 2014 23:56:03 Sven Eckelmann wrote:
[...]
> I've already explained this to Antonio but here again in public:
>
> * neither type nor version are validated
> * the type can point in tvlv_parsers to an invalid (non-existing) entry
> * the version of this entry can also point to an invalid parser
> * this is a big problem because I can crash batctl td with data packets
> send from other people (even valid data packets with mcast tvlv)
> * I've already experienced this problem when using nodes from a company
> which ships this patch since a while (> 4 months)
>
> Maybe it can be redone with some switch statements or
> (more space consuming) full tables which can handle all input data. Of
> course a check of the returned parser is still necessary inside the loops.
>
> Kind regards,
> Sven
For people who require a direct experience of the crash with normal traffic
send by batman-adv:
1. compile batctl:
CFLAGS="-g3 -fsanitize=address -fsanitize=undefined -fsanitize=leak" make
2. Start it on some interfaceL
sudo ./batctl td eth0
3. run on another console tcpreplay on the same interface:
sudo tcpreplay -i eth0 v15_iv_ogm.pcapng
4. experience the crash:
10:17:28.724487 BAT 00:21:cc:b4:82:33: OGM IV via neigh 00:21:cc:b4:82:33, seq 3093200194, tq 255, ttl 50, v 15, flags [..F], length 68, tvlv_len 44
TVLV TTv1: OGM DIFF [.] ttvn=4 vlan_num=1 entry_num=0
VLAN ID -1, crc 0xb8d4beb4
TVLV GWv1: down 10.0Mbps, up 2.0Mbps
=================================================================
==4213==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000639410 at pc 0x415f75 bp 0x7ffff4a02c70 sp 0x7ffff4a02c68
READ of size 8 at 0x000000639410 thread T0
#0 0x415f74 in dump_batman_iv_ogm batctl/tcpdump.c:654
#1 0x41710e in parse_eth_hdr batctl/tcpdump.c:825
#2 0x4195c8 in tcpdump batctl/tcpdump.c:1118
#3 0x403b7a in main batctl/main.c:146
#4 0x7fd0f52dbb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x4029d8 (batctl+0x4029d8)
0x000000639410 is located 0 bytes to the right of global variable 'tvlv_parsers' from 'tcpdump.c' (0x6393e0) of size 48
0x000000639410 is located 48 bytes to the left of global variable '*.Lubsan_type7' from 'tcpdump.c' (0x639440) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow batctl/tcpdump.c:654 dump_batman_iv_ogm
Shadow bytes around the buggy address:
0x0000800bf230: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0000800bf240: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf250: 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf260: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf270: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800bf280: 00 00[f9]f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf290: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0000800bf2a0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf2b0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bf2c0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf2d0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4213==ABORTING
Kind regards,
Sven
[-- Attachment #2: v15_iv_ogm.pcapng --]
[-- Type: application/x-pcapng, Size: 6652 bytes --]
prev parent reply other threads:[~2014-11-12 9:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-02 8:38 [B.A.T.M.A.N.] [PATCHv5] batctl: tcpdump - parse TVLV containers Antonio Quartulli
2014-11-09 4:37 ` Marek Lindner
2014-11-11 22:56 ` Sven Eckelmann
2014-11-12 9:26 ` Sven Eckelmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5267417.3ygrW54Np4@bentobox \
--to=sven@narfation.org \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.