FreeBSD / Apple libc link_ntoa() buffer overflow Exploit

Improper bounds checking of the obuf variable in the link_ntoa() function in linkaddr.c may allow an attacker to read or write from memory.

The routine link_addr() interprets character strings representing link-level addresses, returning binary information suitable for use in system calls. The routine link_ntoa() takes a link-level address and returns an ASCII string representing some of the information present, including the link level address itself, and the interface name or number, if present. This facility is experimental and is still subject to change.

For link_addr(), the string addr may contain an optional network interface identifier of the form ``name unit-number'', suitable for the first argument to ifconfig(8), followed in all cases by a colon and an interface address in the form of groups of hexadecimal digits separated by periods. Each group represents a byte of address; address bytes are filled left to right from low order bytes through high order bytes.

Thus le0:8.0.9.13.d.30 represents an ethernet address to be transmitted on the first Lance ethernet interface.

If the sdl_len field of the link socket address sdl is 0, link_ntoa() will not insert a colon before the interface address bytes. If this translated address is given to link_addr() without inserting an initial colon, the latter will not interpret it correctly.


PATCH:
+++ lib/libc/net/linkaddr.c
@@ -35,6 +35,7 @@

#include <sys/types.h>
#include <sys/socket.h>
+#include <net/if.h>
#include <net/if_dl.h>
#include <string.h>

@@ -122,31 +123,47 @@
link_ntoa(const struct sockaddr_dl *sdl)
{
static char obuf[64];
- char *out = obuf;
- int i;
- u_char *in = (u_char *)LLADDR(sdl);
- u_char *inlim = in + sdl->sdl_alen;
- int firsttime = 1;
+ _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
+ char *out;
+ const char *in, *inlim;
+ int namelen, i, rem;

- if (sdl->sdl_nlen) {
- bcopy(sdl->sdl_data, obuf, sdl->sdl_nlen);
- out += sdl->sdl_nlen;
- if (sdl->sdl_alen)
+ namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
+
+ out = obuf;
+ rem = sizeof(obuf);
+ if (namelen > 0) {
+ bcopy(sdl->sdl_data, out, namelen);
+ out += namelen;
+ rem -= namelen;
+ if (sdl->sdl_alen > 0) {
*out++ = ':';
+ rem--;
+ }
}
- while (in < inlim) {
- if (firsttime)
- firsttime = 0;
- else
+
+ in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
+ inlim = in + sdl->sdl_alen;
+
+ while (in < inlim && rem > 1) {
+ if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
*out++ = '.';
+ rem--;
+ }
i = *in++;
if (i > 0xf) {
- out[1] = hexlist[i & 0xf];
+ if (rem < 3)
+ break;
+ *out++ = hexlist[i & 0xf];
i >>= 4;
- out[0] = hexlist[i];
- out += 2;
- } else
*out++ = hexlist[i];
+ rem -= 2;
+ } else {
+ if (rem < 2)
+ break;
+ *out++ = hexlist[i];
+ rem++;
+ }
}
*out = 0;
return (obuf);

#  0day.today [2018-03-01]  #