[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    Re: vmd: corrupted chunk canary when using DHCP on local interface
From:       Reyk Floeter <reyk () openbsd ! org>
Date:       2017-04-21 9:40:25
Message-ID: 20170421094025.GB56177 () kunshan ! atexit ! net
[Download RAW message or body]

On Fri, Apr 21, 2017 at 11:27:24AM +0200, Reyk Floeter wrote:
> On Fri, Apr 21, 2017 at 11:05:57AM +0200, Caspar Schutijser wrote:
> > Hi,
> > 
> > On my laptop with the 'CJ' malloc.conf settings, vmd prints
> >   vmd(89133) in free(): chunk canary corrupted 0xf3533df9000 0x5dc@0x5dc
> > when I'm trying to request an IP address via DHCP. I'm using the
> > recently added local network interface option. Without the 'CJ'
> > malloc.conf settings, this problem does not appear.
> > 
> 
> Thanks, I can reproduce it here.
> 
> Something overflows the allocated respbuf from dhcp.c ("dhcppkt").
> I will have a look at it.
> 

The attached diff fixes it.

It is almost sad or funny: I did the bounds checking in dhcp.c and
packet.c very carefully, but in the very end I ignored the result and
just used a sizeof(resp) instead of the calculated resplen...

So the overflow was like 1472 + 42 > 1500 instead of 300 + 42 < 1500.

OK?

Reyk

Index: usr.sbin/vmd/dhcp.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/dhcp.c,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 dhcp.c
--- usr.sbin/vmd/dhcp.c	21 Apr 2017 07:03:26 -0000	1.2
+++ usr.sbin/vmd/dhcp.c	21 Apr 2017 09:35:48 -0000
@@ -154,7 +154,7 @@ dhcp_request(struct vionet_dev *dev, cha
 		goto fail;
 	}
 
-	memcpy(respbuf + offset, &resp, sizeof(resp));
+	memcpy(respbuf + offset, &resp, resplen);
 	respbuflen = offset + resplen;
 
 	*obuf = respbuf;

[prev in list] [next in list] [prev in thread] [next in thread]