Ubuntu
libnet-rawip-perl package

device names longer than "13" characters produce a buffer overflow

Bug #667202 reported by Felix Bolte
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnet-rawip-perl (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: libnet-rawip-perl

1)

Description: Ubuntu 10.04.1 LTS
Release: 10.04

Linux felix 2.6.32-24-generic #43-Ubuntu SMP Thu Sep 16 14:58:24 UTC 2010 x86_64 GNU/Linux

2)

libnet-rawip-perl:
  Installed: 0.25-1
  Candidate: 0.25-1
  Version table:
 *** 0.25-1 0
        500 http://de.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

*)

here my explanation which i originally wrote to the upstream author at perl cpan, but his email address isn't valid anymore:

in general it happens if the interface,
which you use to send out data,
has a "visible" name longer than 13 characters

in my special case i had a vlan in vlan setup,
so my interface called "eth0.3775.3775"
it has 14 visible chars + terminating '\0' = 15 chars

root@felix:~# ./sendraw.pl
start sending packet out of eth0.3775.3775 from 00:11:22:33:44:55 to 00:11:22:33:44:66
*** buffer overflow detected ***: /usr/bin/perl terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fb700606217]
/lib/libc.so.6(+0xfe0d0)[0x7fb7006050d0]
/usr/lib/perl5/auto/Net/RawIP/RawIP.so(send_eth_packet+0x46)[0x7fb7000ca8a6]
/usr/lib/perl5/auto/Net/RawIP/RawIP.so(XS_Net__RawIP_send_eth_packet+0x203)[0x7fb7000c8c43]
/usr/lib/libperl.so.5.10(Perl_pp_entersub+0x5a5)[0x7fb700fd9045]
/usr/lib/libperl.so.5.10(Perl_runops_standard+0x16)[0x7fb700fd7336]
/usr/lib/libperl.so.5.10(perl_run+0x33c)[0x7fb700f7f3cc]
/usr/bin/perl(main+0xec)[0x400d7c]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fb700525c4d]
/usr/bin/perl[0x400bc9]
======= Memory map: ========
[...]
Aborted

i looked into the source (eth.c / line 134):

strcpy((char *)spkt.spkt_device, eth_device);

it copies the given device name to
"sockaddr_pkt.spkt_device" which is defined as
char[14], but my device name has 15 characters:

(include/linux/if_packet.h)
struct sockaddr_pkt
{
       unsigned short spkt_family;
       unsigned char spkt_device[14];
       __be16 spkt_protocol;
};

normally linux is able to use interfaces
with names up to 16 chars (15 visible + '\0'):

(include/linux/if.h)
#define IFNAMSIZ 16

i guess the problem is that the C code uses
this already long timed deprecated structure
"sockaddr_pkt" instead of the new "sockaddr_ll",
which also uses internally IFNAMSIZ

(http://unixhelp.ed.ac.uk/CGI/man-cgi?ip+7)
"The main difference is the new sockaddr_ll address
structure for generic link layer information instead
of the old sockaddr_pkt."

so either you could change to the new struct,
which may cause more work
or you keep the old one and deny interfaces > 14 chars
at the tap(...) method,
which is executed in RawIP.pm before send_eth_packet

if latter solution is chosen, please document the limitation

Revision history for this message
Felix Bolte (gockelhahn) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.