Skip to content

Commit

Permalink
Fix buffer size issues
Browse files Browse the repository at this point in the history
  • Loading branch information
@fgont
fgont committed Oct 17, 2024
1 parent d35c1de commit 60f57fc
Show file tree
Hide file tree
Showing 21 changed files with 236 additions and 234 deletions.
2 changes: 1 addition & 1 deletion tools/addr6.c
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* addr6: A tool to decode IPv6 addresses
*
* Copyright (C) 2013-2019 Fernando Gont (fgont@si6networks.com)
* Copyright (C) 2013-2024 Fernando Gont (fgont@si6networks.com)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
Expand Down
12 changes: 6 additions & 6 deletions tools/flow6.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* flow6: A security assessment tool that determines the Flow Label
* generation policy of a target node
*
* Copyright (C) 2011-2020 Fernando Gont <fgont@si6networks.com>
* Copyright (C) 2011-2024 Fernando Gont <fgont@si6networks.com>
*
* Programmed by Fernando Gont for SI6 Networks <https://www.si6networks.com>
*
Expand Down Expand Up @@ -84,7 +84,7 @@ bpf_u_int32 my_netmask;
bpf_u_int32 my_ip;
struct bpf_program pcap_filter;
char dev[64], errbuf[PCAP_ERRBUF_SIZE];
unsigned char buffer[65556], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char buffer[PACKET_BUFFER_SIZE], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char *v6buffer, *ptr, *startofprefixes;
char *pref;
char iface[IFACE_LENGTH];
Expand Down Expand Up @@ -246,7 +246,7 @@ int main(int argc, char **argv) {
break;

case 'S': /* Source Ethernet address */
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0) {
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand All @@ -255,7 +255,7 @@ int main(int argc, char **argv) {
break;

case 'D': /* Destination Ethernet Address */
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0) {
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand Down Expand Up @@ -773,7 +773,7 @@ void print_help(void) {
*/

void print_attack_info(void) {
if (ether_ntop(&(idata.hsrcaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata.hsrcaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand All @@ -784,7 +784,7 @@ void print_attack_info(void) {
Ethernet Destination Address only used if a IPv6 Destination Address or an
Ethernet Destination Address were specified.
*/
if (ether_ntop(&(idata.hdstaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata.hdstaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand Down
16 changes: 8 additions & 8 deletions tools/frag6.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* frag6: A security assessment tool that exploits potential flaws in the
* processing of IPv6 fragments
*
* Copyright (C) 2011-2020 Fernando Gont <fgont@si6networks.com>
* Copyright (C) 2011-2024 Fernando Gont <fgont@si6networks.com>
*
* Programmed by Fernando Gont for SI6 Networks <https://www.si6networks.com>
*
Expand Down Expand Up @@ -96,7 +96,7 @@ bpf_u_int32 my_netmask;
bpf_u_int32 my_ip;
struct bpf_program pcap_filter;
char dev[64], errbuf[PCAP_ERRBUF_SIZE];
unsigned char buffer[65556], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char buffer[PACKET_BUFFER_SIZE], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char *v6buffer, *ptr, *startofprefixes;
char *pref;

Expand Down Expand Up @@ -146,7 +146,7 @@ struct ip6_hdr *fipv6;
unsigned char *fragpart, *ptrend, *ptrhdr, *ptrhdrend;
unsigned int hdrlen, ndstopthdr = 0, nhbhopthdr = 0, ndstoptuhdr = 0;
unsigned int nfrags, fragsize;
unsigned char *prev_nh, *startoffragment;
unsigned char *prev_nh;

/* Basic data blocks used for detecting the fragment reassembly policy. They contain the same words
* in different order, thus resulting in the same checksum
Expand Down Expand Up @@ -420,7 +420,7 @@ int main(int argc, char **argv) {
break;

case 'S': /* Source Ethernet address */
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0) {
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand All @@ -429,7 +429,7 @@ int main(int argc, char **argv) {
break;

case 'D': /* Destination Ethernet Address */
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0) {
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand Down Expand Up @@ -2148,7 +2148,7 @@ int send_fid_probe(struct iface_data *idata) {
struct ip6_frag *frag;
struct ether_header *ethernet;
struct ip6_hdr *ipv6;
unsigned char *fptr, *fptrend;
unsigned char *fptr, *fptrend, *startoffragment;
unsigned int i;

ethernet = (struct ether_header *)buffer;
Expand Down Expand Up @@ -2326,7 +2326,7 @@ void print_help(void) {

void print_attack_info(struct iface_data *idata) {
if (idata->type == DLT_EN10MB && !(idata->flags & IFACE_LOOPBACK)) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand All @@ -2337,7 +2337,7 @@ void print_attack_info(struct iface_data *idata) {
Ethernet Destination Address only used if a IPv6 Destination Address or an
Ethernet Destination Address were specified.
*/
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand Down
3 changes: 0 additions & 3 deletions tools/frag6.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,5 @@
#define FIXED_ORIGIN 1
#define MULTI_ORIGIN 2

/* Size of the fragmentation buffer (including link-layer headers) for FID probes */
#define FRAG_BUFFER_SIZE (MIN_IPV6_HLEN + FRAG_HDR_SIZE + MAX_IPV6_PAYLOAD)

/* For limiting strncmp */
#define MAX_STRING_SIZE 10
24 changes: 12 additions & 12 deletions tools/icmp6.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* icmp6: A security assessment tool that exploits potential flaws
* in the processing of ICMPv6 Error messages
*
* Copyright (C) 2011-2020 Fernando Gont <fgont@si6networks.com>
* Copyright (C) 2011-2024 Fernando Gont <fgont@si6networks.com>
*
* Programmed by Fernando Gont for SI6 Networks <https://www.si6networks.com>
*
Expand Down Expand Up @@ -112,7 +112,7 @@ bpf_u_int32 my_netmask;
bpf_u_int32 my_ip;
struct bpf_program pcap_filter;
char dev[64], errbuf[PCAP_ERRBUF_SIZE];
unsigned char buffer[65556], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char buffer[PACKET_BUFFER_SIZE], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char *v6buffer, *ptr, *startofprefixes;
char *pref;

Expand Down Expand Up @@ -150,7 +150,7 @@ unsigned int hbhopthdrlen[MAX_HBH_OPT_HDR], m, pad;
struct ip6_frag fraghdr, *fh;
struct ip6_hdr *fipv6;
unsigned char fragh_f = 0;
unsigned char fragbuffer[ETHER_HDR_LEN + MIN_IPV6_HLEN + MAX_IPV6_PAYLOAD];
unsigned char fragbuffer[FRAG_BUFFER_SIZE];
unsigned char *fragpart, *fptr, *fptrend, *ptrend, *ptrhdr, *ptrhdrend;
unsigned int hdrlen, ndstopthdr = 0, nhbhopthdr = 0, ndstoptuhdr = 0;
unsigned int nfrags, fragsize;
Expand Down Expand Up @@ -454,7 +454,7 @@ int main(int argc, char **argv) {
break;

case 'S': /* Source Ethernet address */
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0) {
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand All @@ -463,7 +463,7 @@ int main(int argc, char **argv) {
break;

case 'D': /* Destination Ethernet Address */
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0) {
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand Down Expand Up @@ -825,7 +825,7 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}

if (ether_pton(optarg, &(filters.blocklinksrc[filters.nblocklinksrc]), sizeof(struct ether_addr)) == 0) {
if (ether_pton(optarg, &(filters.blocklinksrc[filters.nblocklinksrc]), sizeof(struct ether_addr)) == FALSE) {
printf("Error in link-layer Source Address (blick) filter number %u.\n", filters.nblocklinksrc + 1);
exit(EXIT_FAILURE);
}
Expand All @@ -839,7 +839,7 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}

if (ether_pton(optarg, &(filters.blocklinkdst[filters.nblocklinkdst]), sizeof(struct ether_addr)) == 0) {
if (ether_pton(optarg, &(filters.blocklinkdst[filters.nblocklinkdst]), sizeof(struct ether_addr)) == FALSE) {
printf("Error in link-layer Destination Address (blick) filter number %u.\n",
filters.nblocklinkdst + 1);
exit(EXIT_FAILURE);
Expand Down Expand Up @@ -920,7 +920,7 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}

if (ether_pton(optarg, &(filters.acceptlinksrc[filters.nacceptlinksrc]), sizeof(struct ether_addr)) == 0) {
if (ether_pton(optarg, &(filters.acceptlinksrc[filters.nacceptlinksrc]), sizeof(struct ether_addr)) == FALSE) {
printf("Error in link-layer Source Address (accept) filter number %u.\n", filters.nacceptlinksrc + 1);
exit(EXIT_FAILURE);
}
Expand All @@ -935,7 +935,7 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}

if (ether_pton(optarg, &(filters.acceptlinkdst[filters.nacceptlinkdst]), sizeof(struct ether_addr)) == 0) {
if (ether_pton(optarg, &(filters.acceptlinkdst[filters.nacceptlinkdst]), sizeof(struct ether_addr)) == FALSE) {
printf("Error in link-layer Destination Address (accept) filter number %u.\n",
filters.nacceptlinkdst + 1);
exit(EXIT_FAILURE);
Expand Down Expand Up @@ -1731,7 +1731,7 @@ void send_packet(struct iface_data *idata, const u_char *pktdata, struct pcap_pk
ptr = fragpart;
fptr = fragbuffer;
fipv6 = (struct ip6_hdr *)(fragbuffer + idata->linkhsize);
fptrend = fptr + idata->linkhsize + MIN_IPV6_HLEN + MAX_IPV6_PAYLOAD;
fptrend = fptr + FRAG_BUFFER_SIZE;
memcpy(fptr, buffer, fragpart - buffer);
fptr = fptr + (fragpart - buffer);

Expand Down Expand Up @@ -1882,7 +1882,7 @@ void print_attack_info(struct iface_data *idata) {
puts("icmp6: Security assessment tool for attack vectors based on ICMPv6 messages\n");

if (idata->type == DLT_EN10MB && !(idata->flags & IFACE_LOOPBACK)) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand All @@ -1894,7 +1894,7 @@ void print_attack_info(struct iface_data *idata) {
Ethernet Destination Address were specified.
*/
if (idata->dstaddr_f) {
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand Down
28 changes: 15 additions & 13 deletions tools/jumbo6.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* jumbo6: A security assessment tool that exploits potential flaws in the
* processing of IPv6 Jumbo payloads
*
* Copyright (C) 2011-2020 Fernando Gont <fgont@si6networks.com>
* Copyright (C) 2011-2024 Fernando Gont <fgont@si6networks.com>
*
* Programmed by Fernando Gont for SI6 Networks <https://www.si6networks.com>
*
Expand Down Expand Up @@ -80,7 +80,7 @@ bpf_u_int32 my_netmask;
bpf_u_int32 my_ip;
struct bpf_program pcap_filter;
char dev[64], errbuf[PCAP_ERRBUF_SIZE];
unsigned char buffer[65556], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char buffer[PACKET_BUFFER_SIZE], buffrh[MIN_IPV6_HLEN + MIN_TCP_HLEN];
unsigned char *v6buffer, *ptr, *startofprefixes;
char *pref;

Expand Down Expand Up @@ -124,7 +124,7 @@ unsigned int hbhopthdrlen[MAX_HBH_OPT_HDR], m, pad;
struct ip6_frag fraghdr, *fh;
struct ip6_hdr *fipv6;
unsigned char fragh_f = 0;
unsigned char fragbuffer[ETHER_HDR_LEN + MIN_IPV6_HLEN + MAX_IPV6_PAYLOAD];
unsigned char fragbuffer[FRAG_BUFFER_SIZE];
unsigned char *fragpart, *fptr, *fptrend, *ptrend, *ptrhdr, *ptrhdrend;
unsigned int hdrlen, ndstopthdr = 0, nhbhopthdr = 0, ndstoptuhdr = 0;
unsigned int nfrags, fragsize;
Expand Down Expand Up @@ -385,7 +385,7 @@ int main(int argc, char **argv) {
break;

case 'S': /* Source Ethernet address */
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0) {
if (ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand All @@ -394,7 +394,7 @@ int main(int argc, char **argv) {
break;

case 'D': /* Destination Ethernet Address */
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0) {
if (ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == FALSE) {
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
Expand Down Expand Up @@ -901,9 +901,11 @@ int send_packet(struct iface_data *idata, struct pcap_pkthdr *pkthdr, const u_ch
ptrend = ptr;
ptr = fragpart;
fptr = fragbuffer;
fipv6 = (struct ip6_hdr *)(fragbuffer + ETHER_HDR_LEN);
fptrend = fptr + ETHER_HDR_LEN + MIN_IPV6_HLEN + MAX_IPV6_PAYLOAD;
fjplengthptr = (uint32_t *)(fptr + sizeof(struct ether_header) + sizeof(struct ip6_hdr) + 3);
fipv6 = (struct ip6_hdr *)(fragbuffer + idata->linkhsize);
fptrend = fptr + FRAG_BUFFER_SIZE;

/* XXX */
fjplengthptr = (uint32_t *)(fptr + idata->linkhsize + sizeof(struct ip6_hdr) + 3);
/* We copy everything from the Ethernet header till the end of the Unfragmentable part */
memcpy(fptr, buffer, fragpart - buffer);
fptr = fptr + (fragpart - buffer);
Expand Down Expand Up @@ -945,7 +947,7 @@ int send_packet(struct iface_data *idata, struct pcap_pkthdr *pkthdr, const u_ch
ptr += fragsize;
fptr += fragsize;

fipv6->ip6_plen = htons((fptr - fragbuffer) - MIN_IPV6_HLEN - ETHER_HDR_LEN);
fipv6->ip6_plen = htons((fptr - fragbuffer) - MIN_IPV6_HLEN - idata->linkhsize);

if (ip6length_f)
fipv6->ip6_plen = htons(ip6length);
Expand All @@ -955,7 +957,7 @@ int send_packet(struct iface_data *idata, struct pcap_pkthdr *pkthdr, const u_ch
if (jplength_f)
*fjplengthptr = htonl(jplength);
else
*fjplengthptr = htonl((fptr - fragbuffer) - MIN_IPV6_HLEN - ETHER_HDR_LEN);
*fjplengthptr = htonl((fptr - fragbuffer) - MIN_IPV6_HLEN - idata->linkhsize);

if ((nw = pcap_inject(idata->pfd, fragbuffer, fptr - fragbuffer)) == -1) {
printf("pcap_inject(): %s\n", pcap_geterr(idata->pfd));
Expand Down Expand Up @@ -1031,7 +1033,7 @@ void print_attack_info(struct iface_data *idata) {
puts("jumbo6: Security assessment tool for attack vectors based on IPv6 Jumbo Payloads\n");

if (idata->hsrcaddr_f) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand All @@ -1040,7 +1042,7 @@ void print_attack_info(struct iface_data *idata) {
}
else {
if (idata->dstaddr_f) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hsrcaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand All @@ -1057,7 +1059,7 @@ void print_attack_info(struct iface_data *idata) {
Ethernet Destination Address were specified.
*/
if (idata->dstaddr_f) {
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == 0) {
if (ether_ntop(&(idata->hdstaddr), plinkaddr, sizeof(plinkaddr)) == FALSE) {
puts("ether_ntop(): Error converting address");
exit(EXIT_FAILURE);
}
Expand Down
Loading

0 comments on commit 60f57fc

Please sign in to comment.