New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perform improved bounds checking in airodump #1895
base: master
Are you sure you want to change the base?
Conversation
A handful of code paths could read past the end of the buffer holding incoming packets from the wireless adapter. This improves the bounds checking to ensure that the code never reads past the end of the buffer. Malformed packets will still be written to PCAP. These bugs were found by fuzzing with AFL: http://lcamtuf.coredump.cx/afl
@@ -2162,7 +2165,7 @@ int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int | |||
org_p = p; | |||
p+=6; | |||
int len = length, subtype = 0, sublen = 0; | |||
while(len >= 4) | |||
while(p + 5 < h80211 + caplen && len >= 4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have a file to test this case?
@@ -2754,7 +2759,7 @@ int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int | |||
if(h80211[0] & 0x04) | |||
{ | |||
p=h80211+4; | |||
while(p <= h80211+16 && p<=h80211+caplen) | |||
while(p <= h80211+16 && p<=h80211+caplen-6) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have a file to test this case?
he found it with a fuzzer, so I'm assuming the answer is no. |
@ZeroChaos- , the fuzzer generates files. |
I don't have a test file for this specific branch. The fuzzer pointed me to this general neighborhood of code, and upon manually reviewing things I found that the bounds handling was incorrect throughout. This patchset reflects a manual review of every possible branch, ensuring that each buffer was the correct minimum size for reading at a given offset. I can manually generate some test files that reach this branch if that would help you merge this patchset. |
It definitely would help a lot. The rest is good to go but those 2 cases are a bit trickier. Thanks |
A handful of code paths could read past the end of the buffer holding
incoming packets from the wireless adapter. This improves the bounds
checking to ensure that the code never reads past the end of the buffer.
Malformed packets will still be written to PCAP.
These bugs were found by fuzzing with AFL: http://lcamtuf.coredump.cx/afl