From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: Re: [B.A.T.M.A.N.] [PATCHv5] batctl: tcpdump - parse TVLV containers
Date: Wed, 12 Nov 2014 10:26:24 +0100 [thread overview]
Message-ID: <5267417.3ygrW54Np4@bentobox> (raw)
In-Reply-To: <2091412.EK1SUSK0CW@sven-edge>
[-- Attachment #1: Type: text/plain, Size: 3776 bytes --]
On Tuesday 11 November 2014 23:56:03 Sven Eckelmann wrote:
[...]
> I've already explained this to Antonio but here again in public:
>
> * neither type nor version are validated
> * the type can point in tvlv_parsers to an invalid (non-existing) entry
> * the version of this entry can also point to an invalid parser
> * this is a big problem because I can crash batctl td with data packets
> send from other people (even valid data packets with mcast tvlv)
> * I've already experienced this problem when using nodes from a company
> which ships this patch since a while (> 4 months)
>
> Maybe it can be redone with some switch statements or
> (more space consuming) full tables which can handle all input data. Of
> course a check of the returned parser is still necessary inside the loops.
>
> Kind regards,
> Sven
For people who require a direct experience of the crash with normal traffic
send by batman-adv:
1. compile batctl:
CFLAGS="-g3 -fsanitize=address -fsanitize=undefined -fsanitize=leak" make
2. Start it on some interfaceL
sudo ./batctl td eth0
3. run on another console tcpreplay on the same interface:
sudo tcpreplay -i eth0 v15_iv_ogm.pcapng
4. experience the crash:
10:17:28.724487 BAT 00:21:cc:b4:82:33: OGM IV via neigh 00:21:cc:b4:82:33, seq 3093200194, tq 255, ttl 50, v 15, flags [..F], length 68, tvlv_len 44
TVLV TTv1: OGM DIFF [.] ttvn=4 vlan_num=1 entry_num=0
VLAN ID -1, crc 0xb8d4beb4
TVLV GWv1: down 10.0Mbps, up 2.0Mbps
=================================================================
==4213==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000639410 at pc 0x415f75 bp 0x7ffff4a02c70 sp 0x7ffff4a02c68
READ of size 8 at 0x000000639410 thread T0
#0 0x415f74 in dump_batman_iv_ogm batctl/tcpdump.c:654
#1 0x41710e in parse_eth_hdr batctl/tcpdump.c:825
#2 0x4195c8 in tcpdump batctl/tcpdump.c:1118
#3 0x403b7a in main batctl/main.c:146
#4 0x7fd0f52dbb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x4029d8 (batctl+0x4029d8)
0x000000639410 is located 0 bytes to the right of global variable 'tvlv_parsers' from 'tcpdump.c' (0x6393e0) of size 48
0x000000639410 is located 48 bytes to the left of global variable '*.Lubsan_type7' from 'tcpdump.c' (0x639440) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow batctl/tcpdump.c:654 dump_batman_iv_ogm
Shadow bytes around the buggy address:
0x0000800bf230: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0000800bf240: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf250: 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf260: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf270: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800bf280: 00 00[f9]f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf290: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0000800bf2a0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bf2b0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bf2c0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800bf2d0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4213==ABORTING
Kind regards,
Sven
[-- Attachment #2: v15_iv_ogm.pcapng --]
[-- Type: application/x-pcapng, Size: 6652 bytes --]
prev parent reply other threads:[~2014-11-12 9:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-02 8:38 [B.A.T.M.A.N.] [PATCHv5] batctl: tcpdump - parse TVLV containers Antonio Quartulli
2014-11-09 4:37 ` Marek Lindner
2014-11-11 22:56 ` Sven Eckelmann
2014-11-12 9:26 ` Sven Eckelmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5267417.3ygrW54Np4@bentobox \
--to=sven@narfation.org \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox