In function read_packet_from_file(), variable params1.ph.incl_len is used without an overflow check. This can lead to some variables being overwritten or the program crashing.
/* copy the 16 bytes into ph structure */
memcpy(¶ms1.ph, params1.pkt_temp, 16);
params1.ptr = params1.pkt_temp + sizeof(params1.ph);
/* and the packet itself, but only up to the capture length */
freads = fread(params1.ptr, params1.ph.incl_len, 1, file_p); // uint32_t incl_len is read from pcap file
The length of the pkt_temp buffer is 10000. If the packet exceeds this length, variables in .bss section will be overwritten.
Reproduce
Poc: mypoc.zip
CC=clang CFLAGS="-O0 -g -fsanitize=address" make
./packETHcli -i lo -f ./mypoc.pcap
Asan report:
=================================================================
==366700==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555fefe68 at pc 0x555555594dd5 bp 0x7fffffffde60 sp 0x7fffffffd630
WRITE of size 11000 at 0x555555fefe68 thread T0
#0 0x555555594dd4 in fread (/work/programs/packeth/origin/cli/packETHcli+0x40dd4) (BuildId: 87a631790a9eaae61db995e5c5764db95f25d64e)
#1 0x55555564f543 in read_packet_from_file /work/programs/packeth/origin/cli/cli_send.c:1680:22
#2 0x55555564e5ce in main /work/programs/packeth/origin/cli/cli_send.c:415:13
#3 0x7ffff7cea6c9 (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#4 0x7ffff7cea784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#5 0x5555555773c0 in _start (/work/programs/packeth/origin/cli/packETHcli+0x233c0) (BuildId: 87a631790a9eaae61db995e5c5764db95f25d64e)
0x555555fefe68 is located 0 bytes after global variable 'params1' defined in '/work/programs/packeth/origin/cli/cli_send.c:124' (0x555555fed480) of size 10728
SUMMARY: AddressSanitizer: global-buffer-overflow (/work/programs/packeth/origin/cli/packETHcli+0x40dd4) (BuildId: 87a631790a9eaae61db995e5c5764db95f25d64e) in fread
Shadow bytes around the buggy address:
0x555555fefb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x555555fefc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x555555fefc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x555555fefd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x555555fefd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x555555fefe00: 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9
0x555555fefe80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x555555feff00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x555555feff80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x555555ff0000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x555555ff0080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==366700==ABORTING
Possible fix
If a packet exceeds the maximum length of ETH, it indicates that the pcap file is corrupt. The program can abort processing and report an error.
In function
read_packet_from_file(), variableparams1.ph.incl_lenis used without an overflow check. This can lead to some variables being overwritten or the program crashing.The length of the
pkt_tempbuffer is 10000. If the packet exceeds this length, variables in .bss section will be overwritten.Reproduce
Poc: mypoc.zip
Asan report:
Possible fix
If a packet exceeds the maximum length of ETH, it indicates that the pcap file is corrupt. The program can abort processing and report an error.