[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-bugs
Subject: Re: vmd: corrupted chunk canary when using DHCP on local interface
From: Reyk Floeter <reyk () openbsd ! org>
Date: 2017-04-21 9:40:25
Message-ID: 20170421094025.GB56177 () kunshan ! atexit ! net
[Download RAW message or body]
On Fri, Apr 21, 2017 at 11:27:24AM +0200, Reyk Floeter wrote:
> On Fri, Apr 21, 2017 at 11:05:57AM +0200, Caspar Schutijser wrote:
> > Hi,
> >
> > On my laptop with the 'CJ' malloc.conf settings, vmd prints
> > vmd(89133) in free(): chunk canary corrupted 0xf3533df9000 0x5dc@0x5dc
> > when I'm trying to request an IP address via DHCP. I'm using the
> > recently added local network interface option. Without the 'CJ'
> > malloc.conf settings, this problem does not appear.
> >
>
> Thanks, I can reproduce it here.
>
> Something overflows the allocated respbuf from dhcp.c ("dhcppkt").
> I will have a look at it.
>
The attached diff fixes it.
It is almost sad or funny: I did the bounds checking in dhcp.c and
packet.c very carefully, but in the very end I ignored the result and
just used a sizeof(resp) instead of the calculated resplen...
So the overflow was like 1472 + 42 > 1500 instead of 300 + 42 < 1500.
OK?
Reyk
Index: usr.sbin/vmd/dhcp.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/dhcp.c,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 dhcp.c
--- usr.sbin/vmd/dhcp.c 21 Apr 2017 07:03:26 -0000 1.2
+++ usr.sbin/vmd/dhcp.c 21 Apr 2017 09:35:48 -0000
@@ -154,7 +154,7 @@ dhcp_request(struct vionet_dev *dev, cha
goto fail;
}
- memcpy(respbuf + offset, &resp, sizeof(resp));
+ memcpy(respbuf + offset, &resp, resplen);
respbuflen = offset + resplen;
*obuf = respbuf;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic