https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271820
--- Comment #1 from Robert Morris <r...@lcs.mit.edu> ---
Also:
The subtract in libalias's ValidateUdpLength() can wrap to an unsigned
huge number if ip_len is less than ip_hl<<2. This causes the two
"dlen < ..." tests to be false, which causes the UDP packet to pass
muster even if uh_ulen is bigger than the packet size.
size_t dlen;
dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
if (dlen < sizeof(struct udphdr))
return (NULL);
if (!MF_ISSET(pip) && dlen < ntohs(ud->uh_ulen))
return (NULL);
So an HDLC frame like this will also cause AliasHandleQuestion() to
read off the end of the packet buffer and perhaps crash.
7e 00 21 72 ff 00 00 ff ff e0 00 ff 11 00 89 39 9f 7a 3d 7f ff ff 7c
11 72 7e
(gdb) print/x *pip
$6 = {ip_hl = 0x2, ip_v = 0x7, ip_tos = 0xff, ip_len = 0x0, ip_id = 0xffff,
ip_off = 0xe0, ip_ttl = 0xff, ip_p = 0x11, ip_sum = 0x8900, ip_src = {
s_addr = 0x3d7a9f39}, ip_dst = {s_addr = 0x7cffff7f}}
(gdb) print/x *ud
$4 = {uh_sport = 0x11ff, uh_dport = 0x8900, uh_ulen = 0x9f39, uh_sum = 0x3d7a}
--
You are receiving this mail because:
You are the assignee for the bug.
