Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perform improved bounds checking in airodump #1895

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

perform improved bounds checking in airodump #1895

wants to merge 1 commit into from

Conversation

mikeryan
Copy link

A handful of code paths could read past the end of the buffer holding
incoming packets from the wireless adapter. This improves the bounds
checking to ensure that the code never reads past the end of the buffer.
Malformed packets will still be written to PCAP.

These bugs were found by fuzzing with AFL: http://lcamtuf.coredump.cx/afl

@mikeryan
perform improved bounds checking in airodump
470d450 
A handful of code paths could read past the end of the buffer holding
incoming packets from the wireless adapter. This improves the bounds
checking to ensure that the code never reads past the end of the buffer.
Malformed packets will still be written to PCAP.

These bugs were found by fuzzing with AFL: http://lcamtuf.coredump.cx/afl
aircrack-ng
aircrack-ng reviewed Jun 18, 2018
View reviewed changes
src/airodump-ng.c
@@ -2162,7 +2165,7 @@ int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int
org_p = p;
p+=6;
int len = length, subtype = 0, sublen = 0;
while(len >= 4)
while(p + 5 < h80211 + caplen && len >= 4)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a file to test this case?

aircrack-ng
aircrack-ng reviewed Jun 18, 2018
View reviewed changes
src/airodump-ng.c
@@ -2754,7 +2759,7 @@ int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int
if(h80211[0] & 0x04)
{
p=h80211+4;
while(p <= h80211+16 && p<=h80211+caplen)
while(p <= h80211+16 && p<=h80211+caplen-6)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a file to test this case?

@ZeroChaos-
Copy link
Collaborator

he found it with a fuzzer, so I'm assuming the answer is no.

@aircrack-ng
Copy link
Owner

@ZeroChaos- , the fuzzer generates files.

@mikeryan
Copy link
Author

I don't have a test file for this specific branch. The fuzzer pointed me to this general neighborhood of code, and upon manually reviewing things I found that the bounds handling was incorrect throughout. This patchset reflects a manual review of every possible branch, ensuring that each buffer was the correct minimum size for reading at a given offset.

I can manually generate some test files that reach this branch if that would help you merge this patchset.

@aircrack-ng
Copy link
Owner

aircrack-ng commented Jun 18, 2018
edited

It definitely would help a lot. The rest is good to go but those 2 cases are a bit trickier.

Thanks

@aircrack-ng aircrack-ng mentioned this pull request Jul 3, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aircrack-ng aircrack-ng aircrack-ng left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mikeryan @ZeroChaos- @aircrack-ng