On Wednesday 12 November 2014 18:58:25 Sven Eckelmann wrote:
batctl tcpdump has an array with all known TVLVs and versions. The correct parser for the TVLV is chosen by getting the pointer from the address calculated by version and type. Unfortunately, the version and type was never validated to ensure that not an unknown TVLV (like mcast) was received.
This missing validation makes it possible to crash batctl by injecting packets with an unknown type and/or version. batctl will try to get the parser, fetch a NULL pointer or random data and then try to dereferenced it. This is usually handled by the operating system with a segfault. But this might be exploitable in rare situations.
An approach to handle this problem is by combining the simple selection step with the validation step. Only valid version+type will return a parser function pointer and the requesting function will only call the parser function pointer when it got one.
This regression was introduced by 4c39fb823b86036df40187f8bd342fe5398c28ef ("batctl: tcpdump - parse TVLV containers").
Signed-off-by: Sven Eckelmann sven@narfation.org
tcpdump.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 53 insertions(+), 14 deletions(-)
Applied in revision 140882b.
Thanks, Marek