Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

coredump at capture.c with IPv6 #498

Open
linuxmaniac opened this issue Oct 7, 2024 · 2 comments
Open

coredump at capture.c with IPv6 #498

linuxmaniac opened this issue Oct 7, 2024 · 2 comments

Comments

@linuxmaniac
Copy link
Contributor

linuxmaniac commented Oct 7, 2024

this is sngrep v1.8.1 but I think the code is the same in v1.8.2

Core was generated by `sngrep -c'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  capture_packet_reasm_ip ([capinfo=capinfo@entry](mailto:capinfo=capinfo@entry)=0x55998f8aa990, [header=header@entry](mailto:header=header@entry)=0x7f3c78754970, [packet=packet@entry](mailto:packet=packet@entry)=0x7f3c7874f900 "", [size=size@entry](mailto:size=size@entry)=0x7f3c7874f8fc, 
    [caplen=caplen@entry](mailto:caplen=caplen@entry)=0x7f3c7874f8f8) at ./src/capture.c:680
680     ./src/capture.c: No such file or directory.
[Current thread is 1 (Thread 0x7f3c787556c0 (LWP 2100393))]
(gdb) bt
#0  capture_packet_reasm_ip ([capinfo=capinfo@entry](mailto:capinfo=capinfo@entry)=0x55998f8aa990, [header=header@entry](mailto:header=header@entry)=0x7f3c78754970, [packet=packet@entry](mailto:packet=packet@entry)=0x7f3c7874f900 "", [size=size@entry](mailto:size=size@entry)=0x7f3c7874f8fc, 
    [caplen=caplen@entry](mailto:caplen=caplen@entry)=0x7f3c7874f8f8) at ./src/capture.c:680
0000001  0x000055998e317b4a in parse_packet (info=0x55998f8aa990 "\001\001", header=0x7f3c78754970, packet=0x7f3c788dc1e4 "") at ./src/capture.c:367
#2  0x00007f3c792b54f6 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
0000003  0x00007f3c792b58ec in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
#4  0x00007f3c792bcd1d in pcap_loop () from /lib/x86_64-linux-gnu/libpcap.so.0.8
#5  0x000055998e315b3c in capture_thread (info=0x55998f8aa990) at ./src/capture.c:1069
#6  0x00007f3c79155134 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
0000007  0x00007f3c791d57dc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

(gdb) p *capinfo
$1 = {running = true, ispcap = true, link = 113, link_hl = 16 '\020', handle = 0x55998f8aa9f0, mask = 0, net = 0, infile = 0x0, device = 0x55998f8a9910 "any", ip_reasm = 0x55998f8aada0, 
  tcp_reasm = 0x55998f8aad70, capture_fn = 0x55998e315b20 <capture_thread>, capture_t = 139897695721152}
(gdb) p *header
$2 = {ts = {tv_sec = 1728299259, tv_usec = 715314}, caplen = 220, len = 220}
(gdb) p ip6f
$3 = (struct ip6_frag *) 0x0

related code: https://github.com/irontec/sngrep/blob/master/src/capture.c#L685-L687

#ifdef USE_IPV6
    if (ip_ver == 6 && ip_frag && (ip6f->ip6f_offlg & htons(0x01)) == 0) {
        pkt->ip_exp_len = ip_frag_off + ip_len - ip_hl - sizeof(struct ip6_frag);
    }
#endif

ip6f is NULL so... 💣

@linuxmaniac
Copy link
Contributor Author

how can ip6f be NULL and ip_frag != 0 && ip_ver == 6 if we have at https://github.com/irontec/sngrep/blob/master/src/capture.c#L590-L606

#ifdef USE_IPV6
            case 6:
                ip_hl = sizeof(struct ip6_hdr);
                ip_proto = ip6->ip6_nxt;
                ip_len = ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen) + ip_hl;

                if (ip_proto == IPPROTO_FRAGMENT) {
                    ip_frag = 1;
                    ip6f = (struct ip6_frag *) (packet + link_hl + ip_hl);
                    ip_frag_off = ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK);
                    ip_id = ntohl(ip6f->ip6f_ident);
                }

                inet_ntop(AF_INET6, &ip6->ip6_src, src.ip, sizeof(src.ip));
                inet_ntop(AF_INET6, &ip6->ip6_dst, dst.ip, sizeof(dst.ip));
                break;
#endif

@Kaian
Copy link
Member

Kaian commented Oct 16, 2024

Hi!

Thanks for the report and detailed information of the offending code.

This is quite strange, becaue if ip6f has a NULL value after being assigned, it should have crashed in the next line and not reach that if. Maybe some memory overflow elsewhere between assigment and crashing line updated ip6f or ip_frag?

It would be awesome it this could be reproduced while reading a pcap file (not sure if this happens often enough)

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants