pkg-perl-maintainers team mailing list archive

[Felix Bolte <667202@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Binary package hint: libnet-rawip-perl

1)

Description:	Ubuntu 10.04.1 LTS
Release:	10.04

Linux felix 2.6.32-24-generic #43-Ubuntu SMP Thu Sep 16 14:58:24 UTC
2010 x86_64 GNU/Linux

2)

libnet-rawip-perl:
  Installed: 0.25-1
  Candidate: 0.25-1
  Version table:
 *** 0.25-1 0
        500 http://de.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

*)

here my explanation which i originally wrote to the upstream author at
perl cpan, but his email address isn't valid anymore:

in general it happens if the interface,
which you use to send out data,
has a "visible" name longer than 13 characters
 
in my special case i had a vlan in vlan setup,
so my interface called "eth0.3775.3775"
it has 14 visible chars + terminating '\0' = 15 chars

root@felix:~# ./sendraw.pl
start sending packet out of eth0.3775.3775 from 00:11:22:33:44:55 to 00:11:22:33:44:66
*** buffer overflow detected ***: /usr/bin/perl terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fb700606217]
/lib/libc.so.6(+0xfe0d0)[0x7fb7006050d0]
/usr/lib/perl5/auto/Net/RawIP/RawIP.so(send_eth_packet+0x46)[0x7fb7000ca8a6]
/usr/lib/perl5/auto/Net/RawIP/RawIP.so(XS_Net__RawIP_send_eth_packet+0x203)[0x7fb7000c8c43]
/usr/lib/libperl.so.5.10(Perl_pp_entersub+0x5a5)[0x7fb700fd9045]
/usr/lib/libperl.so.5.10(Perl_runops_standard+0x16)[0x7fb700fd7336]
/usr/lib/libperl.so.5.10(perl_run+0x33c)[0x7fb700f7f3cc]
/usr/bin/perl(main+0xec)[0x400d7c]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fb700525c4d]
/usr/bin/perl[0x400bc9]
======= Memory map: ========
[...]
Aborted

i looked into the source (eth.c / line 134):
 
strcpy((char *)spkt.spkt_device, eth_device);
 
it copies the given device name to
"sockaddr_pkt.spkt_device" which is defined as
char[14], but my device name has 15 characters:
 
(include/linux/if_packet.h)
struct sockaddr_pkt
{
       unsigned short spkt_family;
       unsigned char spkt_device[14];
       __be16 spkt_protocol;
};
 
normally linux is able to use interfaces
with names up to 16 chars (15 visible + '\0'):
 
(include/linux/if.h)
#define IFNAMSIZ        16
 
 
i guess the problem is that the C code uses
this already long timed deprecated structure
"sockaddr_pkt" instead of the new "sockaddr_ll",
which also uses internally IFNAMSIZ
 
(http://unixhelp.ed.ac.uk/CGI/man-cgi?ip+7)
"The main difference is the new sockaddr_ll address
structure for generic link layer information instead
of the old sockaddr_pkt."
 
 
so either you could change to the new struct,
which may cause more work
or you keep the old one and deny interfaces > 14 chars
at the tap(...) method,
which is executed in RawIP.pm before send_eth_packet
 
if latter solution is chosen, please document the limitation

** Affects: libnet-rawip-perl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
device names longer than "13" characters produce a buffer overflow
https://bugs.launchpad.net/bugs/667202
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libnet-rawip-perl in ubuntu.