device names longer than "13" characters produce a buffer overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnet-rawip-perl (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libnet-rawip-perl
1)
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Linux felix 2.6.32-24-generic #43-Ubuntu SMP Thu Sep 16 14:58:24 UTC 2010 x86_64 GNU/Linux
2)
libnet-rawip-perl:
Installed: 0.25-1
Candidate: 0.25-1
Version table:
*** 0.25-1 0
500 http://
100 /var/lib/
*)
here my explanation which i originally wrote to the upstream author at perl cpan, but his email address isn't valid anymore:
in general it happens if the interface,
which you use to send out data,
has a "visible" name longer than 13 characters
in my special case i had a vlan in vlan setup,
so my interface called "eth0.3775.3775"
it has 14 visible chars + terminating '\0' = 15 chars
root@felix:~# ./sendraw.pl
start sending packet out of eth0.3775.3775 from 00:11:22:33:44:55 to 00:11:22:33:44:66
*** buffer overflow detected ***: /usr/bin/perl terminated
======= Backtrace: =========
/lib/libc.
/lib/libc.
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/bin/
/lib/libc.
/usr/bin/
======= Memory map: ========
[...]
Aborted
i looked into the source (eth.c / line 134):
strcpy((char *)spkt.spkt_device, eth_device);
it copies the given device name to
"sockaddr_
char[14], but my device name has 15 characters:
(include/
struct sockaddr_pkt
{
unsigned short spkt_family;
unsigned char spkt_device[14];
__be16 spkt_protocol;
};
normally linux is able to use interfaces
with names up to 16 chars (15 visible + '\0'):
(include/
#define IFNAMSIZ 16
i guess the problem is that the C code uses
this already long timed deprecated structure
"sockaddr_pkt" instead of the new "sockaddr_ll",
which also uses internally IFNAMSIZ
(http://
"The main difference is the new sockaddr_ll address
structure for generic link layer information instead
of the old sockaddr_pkt."
so either you could change to the new struct,
which may cause more work
or you keep the old one and deny interfaces > 14 chars
at the tap(...) method,
which is executed in RawIP.pm before send_eth_packet
if latter solution is chosen, please document the limitation