From ea786c2457498e708b0734c233a4292529cc2e2d Mon Sep 17 00:00:00 2001 From: allfro Date: Sat, 23 Jul 2011 18:43:19 -0700 Subject: Fixes a bug that incorrectly converts the addr, mask, and next_hop fields to network byte order. Users will usually call libnet_name2addr4 to fill these fields and this function already provides a network byte-ordered value. --- libnet/src/libnet_build_rip.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libnet/src/libnet_build_rip.c b/libnet/src/libnet_build_rip.c index 911d0cf..52a2db7 100644 --- a/libnet/src/libnet_build_rip.c +++ b/libnet/src/libnet_build_rip.c @@ -73,9 +73,9 @@ libnet_ptag_t ptag) rip_hdr.rip_rd = htons(rd); rip_hdr.rip_af = htons(af); rip_hdr.rip_rt = htons(rt); - rip_hdr.rip_addr = htonl(addr); - rip_hdr.rip_mask = htonl(mask); - rip_hdr.rip_next_hop = htonl(next_hop); + rip_hdr.rip_addr = addr; + rip_hdr.rip_mask = mask; + rip_hdr.rip_next_hop = next_hop; rip_hdr.rip_metric = htonl(metric); n = libnet_pblock_append(l, p, (uint8_t *)&rip_hdr, LIBNET_RIP_H); -- cgit v1.2.1 From 0e27fc96951d5a131278a17c88786ce067c3437f Mon Sep 17 00:00:00 2001 From: allfro Date: Sat, 23 Jul 2011 19:38:42 -0700 Subject: Fixes incorrect memory block size set in the timeexceed and redirect builders. The n variable does not add the size of the payload (payload_s) for proper allocation of the buffer when payload is not NULL and payload_s is greater than 0. This results in a memcpy buffer overflow error when libnet_pblock_append is called exiting the program. --- libnet/src/libnet_build_icmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libnet/src/libnet_build_icmp.c b/libnet/src/libnet_build_icmp.c index 7233b3e..d46590f 100644 --- a/libnet/src/libnet_build_icmp.c +++ b/libnet/src/libnet_build_icmp.c @@ -313,7 +313,7 @@ const uint8_t *payload, uint32_t payload_s, libnet_t *l, libnet_ptag_t ptag) } /* size of memory block */ - n = LIBNET_ICMPV4_TIMXCEED_H; + n = LIBNET_ICMPV4_TIMXCEED_H + payload_s; /* * FREDRAYNAL: as ICMP checksum includes what is embedded in * the payload, and what is after the ICMP header, we need to include @@ -362,7 +362,7 @@ libnet_ptag_t ptag) return (-1); } - n = LIBNET_ICMPV4_REDIRECT_H; /* size of memory block */ + n = LIBNET_ICMPV4_REDIRECT_H + payload_s; /* size of memory block */ /* * FREDRAYNAL: as ICMP checksum includes what is embedded in * the payload, and what is after the ICMP header, we need to include -- cgit v1.2.1 From 31b83cb6c2591be2bd17416d82fcfdcacffb7141 Mon Sep 17 00:00:00 2001 From: allfro Date: Fri, 29 Jul 2011 09:11:49 -0300 Subject: Fixes improper calculation of header size when libnet_pblock_probe is called. payload_s must be added to the header length in order to accommodate for the existence of a non-NULL payload. Otherwise the user is prompted with a 'memcpy would cause overflow' error and the program exits. --- libnet/src/libnet_build_hsrp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libnet/src/libnet_build_hsrp.c b/libnet/src/libnet_build_hsrp.c index 7c03749..8f56945 100644 --- a/libnet/src/libnet_build_hsrp.c +++ b/libnet/src/libnet_build_hsrp.c @@ -57,7 +57,7 @@ const uint8_t *payload, uint32_t payload_s, libnet_t *l, libnet_ptag_t ptag) * Find the existing protocol block if a ptag is specified, or create * a new one. */ - p = libnet_pblock_probe(l, ptag, LIBNET_HSRP_H, LIBNET_PBLOCK_HSRP_H); + p = libnet_pblock_probe(l, ptag, LIBNET_HSRP_H + payload_s, LIBNET_PBLOCK_HSRP_H); if (p == NULL) { return (-1); -- cgit v1.2.1 From f0698e1ed77c2d83491a42e5402ac738596c75e6 Mon Sep 17 00:00:00 2001 From: allfro Date: Sat, 30 Jul 2011 10:18:28 -0300 Subject: Fixes a buffer overflow issue when copying chaddr, file, and sname fields to the DHCP header. --- libnet/src/libnet_build_dhcp.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libnet/src/libnet_build_dhcp.c b/libnet/src/libnet_build_dhcp.c index ed80230..d147958 100644 --- a/libnet/src/libnet_build_dhcp.c +++ b/libnet/src/libnet_build_dhcp.c @@ -83,8 +83,7 @@ libnet_t *l, libnet_ptag_t ptag) if (chaddr) { - memcpy(dhcp_hdr.dhcp_chaddr, chaddr, sizeof (dhcp_hdr.dhcp_chaddr)); - dhcp_hdr.dhcp_chaddr[sizeof(dhcp_hdr.dhcp_chaddr) - 1] = 0; + strncpy((char *)dhcp_hdr.dhcp_chaddr, (const char *)chaddr, sizeof (dhcp_hdr.dhcp_chaddr) - 2); } else { @@ -93,8 +92,7 @@ libnet_t *l, libnet_ptag_t ptag) if (sname) { - memcpy(dhcp_hdr.dhcp_sname, sname, sizeof (dhcp_hdr.dhcp_sname)); - dhcp_hdr.dhcp_sname[sizeof(dhcp_hdr.dhcp_sname) - 1] = 0; + strncpy((const char *)dhcp_hdr.dhcp_sname, (char *)sname, sizeof (dhcp_hdr.dhcp_sname) - 2); } else { @@ -103,8 +101,7 @@ libnet_t *l, libnet_ptag_t ptag) if (file) { - memcpy(dhcp_hdr.dhcp_file, file, sizeof (dhcp_hdr.dhcp_file)); - dhcp_hdr.dhcp_file[sizeof(dhcp_hdr.dhcp_file) - 1] = 0; + strncpy(dhcp_hdr.dhcp_file, file, sizeof (dhcp_hdr.dhcp_file) - 2); } else { @@ -153,4 +150,4 @@ libnet_t *l, libnet_ptag_t ptag) l, ptag)); } -/* EOF */ +/* EOF */ \ No newline at end of file -- cgit v1.2.1