Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Honeyd crashes when handling UDP packets > MTU size #14

Open
GoogleCodeExporter opened this issue Nov 3, 2015 · 2 comments
Open

Honeyd crashes when handling UDP packets > MTU size #14

GoogleCodeExporter opened this issue Nov 3, 2015 · 2 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. Send a large number of UDP packets of size > HONEYD_MTU which cause
fragmentation over Honeyd proxy.
2. Watch as memory corruption occurs - the pool_alloc function will return
an entry with entry->data set to an invalid pointer.
3. Honeyd will crash in memcpy function in ipfrag.c - ip_send_fragments due
to the returned pointer from pool_alloc being invalid.

What is the expected output? What do you see instead?

Honeyd should be able to handle UDP packets > MTU without crashing.

What version of the product are you using? On what operating system?

Honeyd 1.5c, Linux.

Please provide any additional information below.

When allocating udp packets in the udp_send function in honeyd.c, if the
size of the packet is greater than the pool size, it should use
pool_alloc_size instead of pool_alloc in order to allocate the correct size
pointer. Otherwise it will return a chunk of memory too small to
accommodate the data, and the pool will get corrupted.

Here is a patch which seems to address the problem:

        ip_personality(tmpl, &id);

-       pkt = pool_alloc(pool_pkt);
+       iplen = IP_HDR_LEN + UDP_HDR_LEN + len;

+       if (iplen <= HONEYD_MTU)
+               pkt = pool_alloc(pool_pkt);
+       else
+               pkt = pool_alloc_size(pool_pkt, iplen);
+
        udp = (struct udp_hdr *)(pkt + IP_HDR_LEN);
        udp_pack_hdr(udp, con->con_dport, con->con_sport, UDP_HDR_LEN + len);

-       iplen = IP_HDR_LEN + UDP_HDR_LEN + len;
-
        /* Src and Dst are reversed both for ip and tcp */
        ip_pack_hdr(pkt, 0, iplen, id,
            dontfragment ? IP_DF : 0, honeyd_ttl,

Original issue reported on code.google.com by pkwar...@gmail.com on 13 Jul 2009 at 5:46
@GoogleCodeExporter
Copy link
Author 

Here is a patch against the current trunk. There is also a change which allows 
a larger UDP packet to be 
processed by Honeyd (4k instead of 2k).

Original comment by pkwar...@gmail.com on 25 Jan 2010 at 9:17

Attachments:

@GoogleCodeExporter
Copy link
Author 

There is a cumulative patch fixing issues 13, 14 and 18 in issue 13.

Original comment by pkwar...@gmail.com on 3 Sep 2010 at 4:55

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter