[Bro-Dev] #962: Internal Error: IPv6_HdrChain

Bro Tracker bro at tracker.bro.org
Sun Mar 10 12:57:14 PDT 2013 

#962: Internal Error: IPv6_HdrChain
------------------------+-------------------
 Reporter:  jbaines     |       Type:  Patch
   Status:  new         |   Priority:  Low
Milestone:  Bro2.2      |  Component:  Bro
  Version:  git/master  |   Keywords:
------------------------+-------------------
 '''Version''': Master (0075973249906ce1374948b567d261395f99220e)
 '''Description''': A wireshark fuzz capture causes an internal error
 ''IPv6_HdrChain::Init with truncated IP header''
 '''File''':
 https://www.wireshark.org/download/automated/captures/fuzz-2007-03-23-3696.pcap

 '''Output'''
 ''Command line''
 {{{
 ./bro -C -r fuzz-2007-03-23-3696.pcap
 1174679695.036000 internal error: IPv6_HdrChain::Init with truncated IP
 header
 Aborted (core dumped)
 }}}
 ''gdb''
 {{{
 1174679695.036000 internal error: IPv6_HdrChain::Init with truncated IP
 header

 Program received signal SIGABRT, Aborted.
 0xb7fdd424 in __kernel_vsyscall ()
 (gdb) bt
 #0  0xb7fdd424 in __kernel_vsyscall ()
 #1  0xb7a201df in __GI_raise (sig=6) at
 ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 #2  0xb7a23825 in __GI_abort () at abort.c:91
 #3  0x08364eb8 in Reporter::InternalError (this=0x859d2c8,
     fmt=0x84880d4 "IPv6_HdrChain::Init with truncated IP header")
     at /projects/bro/src/Reporter.cc:137
 #4  0x083583da in IPv6_Hdr_Chain::Init (this=0x8fa8370, ip6=0x8f7fc2e,
 total_len=-13,
     set_next=false, next=0) at /projects/bro/src/IP.cc:436
 #5  0x0831f091 in IPv6_Hdr_Chain::IPv6_Hdr_Chain (this=0x8fa8370,
 ip6=0x8f7fc2e, len=-13)
     at /projects/bro/src/IP.h:149
 #6  0x0831f34d in IP_Hdr::IP_Hdr (this=0xbfffed4c, arg_ip6=0x8f7fc2e,
 arg_del=false, len=-13,
     c=0x0) at /projects/bro/src/IP.h:359
 #7  0x083c5831 in NetSessions::NextPacket (this=0x8f8fc28,
 t=1174679695.036, hdr=0x8f7f5a8,
     pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent-
 Le\aA\324\005",
     hdr_size=14, pkt_elem=0x0) at /projects/bro/src/Sessions.cc:249
 #8  0x083c55ad in NetSessions::DispatchPacket (this=0x8f8fc28,
 t=1174679695.036,
     hdr=0x8f7f5a8,
     pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent-
 Le\aA\324\005",
     hdr_size=14, src_ps=0x8f7f570, pkt_elem=0x0)
     at /projects/bro/src/Sessions.cc:186
 #9  0x08374b68 in net_packet_dispatch (t=1174679695.036, hdr=0x8f7f5a8,
     pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent-
 Le\aA\324\005",
     hdr_size=14, src_ps=0x8f7f570, pkt_elem=0x0) at
 /projects/bro/src/Net.cc:353
 #10 0x08374da2 in net_packet_arrival (t=1174679695.036, hdr=0x8f7f5a8,
     pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent-
 Le\aA\324\005",
     hdr_size=14, src_ps=0x8f7f570) at /projects/bro/src/Net.cc:416
 #11 0x083893dd in PktSrc::Process (this=0x8f7f570)
     at /projects/bro/src/PktSrc.cc:303
 #12 0x08374ed8 in net_run () at /projects/bro/src/Net.cc:447
 #13 0x08289236 in main (argc=4, argv=0xbffff2c4) at
 /projects/bro/src/main.cc:1077
 }}}

 '''The Problem'''
 The problem is a roll over at Sessions.cc:226 when hdr_size > hdr->caplen.
 The next line doesn't catch the roll over since caplen in unsigned.

 '''The Fix'''
 Add an additional check to make sure that hdr_line < hdr->cap_len

-- 
Ticket URL: <http://tracker.bro.org/bro/ticket/962>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list