Skip to content
This repository has been archived by the owner on Dec 14, 2020. It is now read-only.

Commit

Permalink
networkmap: backport 7266 code, includes buffer overrun fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@RMerl
RMerl committed Mar 10, 2017
1 parent 823d4a0 commit 773e8cc
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 58 deletions.
32 changes: 14 additions & 18 deletions release/src/router/networkmap/arpstorm.c
View file
Expand Up @@ -43,12 +43,12 @@ iface_bind(int fd, int ifindex)
{
int err;
socklen_t errlen = sizeof(err);

memset(&src_sockll, 0, sizeof(src_sockll));
src_sockll.sll_family = AF_PACKET;
src_sockll.sll_ifindex = ifindex;
src_sockll.sll_protocol = htons(ETH_P_ARP);

if (bind(fd, (struct sockaddr *) &src_sockll, sizeof(src_sockll)) == -1) {
perror("bind device ERR:\n");
return -1;
Expand All @@ -67,7 +67,7 @@ iface_bind(int fd, int ifindex)
perror("getsockname");
exit(2);
}

if (src_sockll.sll_halen == 0) {
printf("Interface is not ARPable (no ll address)\n");
exit(2);
Expand All @@ -83,18 +83,18 @@ int create_socket(char *device)
/* create socket */
int sock_fd, device_id;
sock_fd = socket(PF_PACKET, SOCK_DGRAM, 0); //2008.06.27 Yau change to UDP Socket

if(sock_fd < 0)
perror("create socket ERR:");

device_id = iface_get_id(sock_fd, device);

if (device_id == -1)
printf("iface_get_id REEOR\n");

if ( iface_bind(sock_fd, device_id) < 0)
printf("iface_bind ERROR\n");

return sock_fd;
}

Expand All @@ -104,12 +104,12 @@ int sent_arppacket(int raw_sockfd, unsigned char * dst_ipaddr)

char raw_buffer[46];

memset(dst_sockll.sll_addr, -1, sizeof(dst_sockll.sll_addr)); // set dmac addr FF:FF:FF:FF:FF:FF
memset(dst_sockll.sll_addr, -1, sizeof(dst_sockll.sll_addr)); // set dmac addr FF:FF:FF:FF:FF:FF
if (raw_buffer == NULL)
{
perror("ARP: Oops, out of memory\r");
return 1;
}
}
bzero(raw_buffer, 46);

// Allow 14 bytes for the ethernet header
Expand All @@ -119,7 +119,7 @@ int sent_arppacket(int raw_sockfd, unsigned char * dst_ipaddr)
arp->hwaddr_len = 6;
arp->ipaddr_len = 4;
arp->message_type = htons(ARP_REQUEST);

// My hardware address and IP addresses
memcpy(arp->source_hwaddr, my_hwaddr, 6);
memcpy(arp->source_ipaddr, my_ipaddr, 4);
Expand Down Expand Up @@ -149,11 +149,7 @@ int main()

//Get Router's IP/Mac
strcpy(router_ipaddr, nvram_safe_get("lan_ipaddr"));
#if defined(RTCONFIG_RGMII_BRCM5301X) || defined(RTCONFIG_QCA)
strcpy(router_mac, nvram_safe_get("et1macaddr"));
#else
strcpy(router_mac, nvram_safe_get("et0macaddr"));
#endif
strcpy(router_mac, get_lan_hwaddr());
#ifdef RTCONFIG_GMAC3
if(nvram_match("gmac3_enable", "1"))
strcpy(router_mac, nvram_safe_get("et2macaddr"));
Expand All @@ -173,7 +169,7 @@ int main()
if(arp_sockfd < 0) {
perror("create socket ERR:");
return -1;
} else {
}else {
setsockopt(arp_sockfd, SOL_SOCKET, SO_RCVTIMEO, &arp_timeout, sizeof(arp_timeout));//set receive timeout
dst_sockll = src_sockll; //2008.06.27 Yau add copy sockaddr info to dst
memset(dst_sockll.sll_addr, -1, sizeof(dst_sockll.sll_addr)); // set dmac addr FF:FF:FF:FF:FF:FF
Expand All @@ -185,7 +181,7 @@ int main()
scan_ipaddr[3]++;
if( scan_count<255 && memcmp(scan_ipaddr, my_ipaddr, 4) ) {
sent_arppacket(arp_sockfd, scan_ipaddr);
}
}
else if(scan_count>255) { //Scan completed
scan_count=0;
scan_ipaddr[3]=0;
Expand Down
87 changes: 60 additions & 27 deletions release/src/router/networkmap/function.c
View file
Expand Up @@ -588,16 +588,18 @@ int ctrlpt(unsigned char *dest_ip)
if(FD_ISSET(ssdp_fd, &rfds))
{
nbytes = recvfrom(ssdp_fd, buf, sizeof(buf), 0, (struct sockaddr*)&destaddr, &addrlen);
buf[nbytes] = '\0';

//NMP_DEBUG_F("recv: %d from: %s\n", nbytes, inet_ntoa(destaddr.sin_addr));
if( !memcmp(&destaddr.sin_addr, dest_ip, 4) )
{
if(MATCH_PREFIX(buf, "HTTP/1.1 200 OK"))
{
global_exit = TRUE;
process_device_response(buf);
return_value = TRUE;
if (nbytes > 0)
{
buf[nbytes] = '\0';

//NMP_DEBUG_F("recv: %d from: %s\n", nbytes, inet_ntoa(destaddr.sin_addr));
if( !memcmp(&destaddr.sin_addr, dest_ip, 4) )
{
if(MATCH_PREFIX(buf, "HTTP/1.1 200 OK")) {
global_exit = TRUE;
process_device_response(buf);
return_value = TRUE;
}
}
}
}
Expand Down Expand Up @@ -788,16 +790,27 @@ int process_device_response(char *msg)
// get the destination ip
location += 7;
i = 0;
while( (*location != ':') && (*location != '/')) {
while( (*location != ':') && (*location != '/') && i < 15) {
host[i] = *location++;
i++;
}
host[i] = '\0';
if(i > 15)
goto error;
else
host[i] = '\0';

//get the destination port
if(*location == ':') {
for(location++, i =0; *location != '/'; i++)
port[i] = *location++;
port[i] = '\0';
for(location++, i = 0; *location != '/'; i++) {
if(i <= 5)
port[i] = *location++;
else
goto error;
}
if(i > 6)
goto error;
else
port[i] = '\0';
destport = (ushort)atoi(port);
}
else
Expand Down Expand Up @@ -832,9 +845,12 @@ int process_device_response(char *msg)
while((nbytes = recv(http_fd, data,1500, 0)) > 0)
{
len += nbytes;

if(len > 6000)
break;
data[nbytes] ='\0';
goto error;
else
data[nbytes] ='\0';

strcat(descri, data);
}
//printf("%s\n", descri);
Expand All @@ -850,8 +866,10 @@ int process_device_response(char *msg)
return 1;
error:
http_fd = -1;
free(data);
free(descri);
if(data)
free(data);
if(descri)
free(descri);
return 0;
}

Expand Down Expand Up @@ -1016,8 +1034,16 @@ void store_description(char *msg)

/************* SMB Function ************/
// 0xAB, 0xA+41,0xB+41
int EncodeName(unsigned char *name, unsigned char *buffer, unsigned short length)
int EncodeName(unsigned char *name, unsigned char *buffer, unsigned short length, int buf_size)
{
/*
add protection for Buffer Overflow boundedcpy
*/
if (buf_size < (length * 2 + 2)) {
memset(buffer, 0, buf_size);
return length*2+2;
}

int i;
buffer[0] = 0x20;
buffer[length*2+1] = 0x00;
Expand All @@ -1029,8 +1055,15 @@ int EncodeName(unsigned char *name, unsigned char *buffer, unsigned short length
return length*2+2;
}

int TranUnicode(UCHAR *uni, UCHAR *asc, USHORT length)
int TranUnicode(UCHAR *uni, UCHAR *asc, USHORT length, int buf_size)
{
/*
add protection for Buffer Overflow boundedcpy
*/
if (buf_size < (length * 2)) {
memset(uni, 0, buf_size);
return length*2;
}
int i;
for (i=0; i<length; i++)
{
Expand Down Expand Up @@ -1154,8 +1187,8 @@ int SendSMBReq(UCHAR *des_ip, MY_DEVICE_INFO *my_info)
case NBSS_REQ: // first send nbss request
offsetlen = 0;
bzero(buf, MAXDATASIZE);
EncodeName(my_info->des_hostname, des_nbss_name, my_info->des_hostname_len);
EncodeName(my_info->my_hostname, my_nbss_name, my_info->my_hostname_len);
EncodeName(my_info->des_hostname, des_nbss_name, my_info->des_hostname_len, sizeof(des_nbss_name));
EncodeName(my_info->my_hostname, my_nbss_name, my_info->my_hostname_len, sizeof(my_nbss_name));

memcpy(buf, nbss_header, sizeof(nbss_header)); // nbss base header
offsetlen += sizeof(nbss_header); // 4
Expand Down Expand Up @@ -1400,19 +1433,19 @@ int SendSMBReq(UCHAR *des_ip, MY_DEVICE_INFO *my_info)
memcpy(buf+offsetlen, smb_info.CaseInsensitivePassword, 1);
offsetlen += 1; // 68
bzero(smb_info.AccountName, 32);
tmplen = TranUnicode(smb_info.AccountName, my_info->account, my_info->account_len);
tmplen = TranUnicode(smb_info.AccountName, my_info->account, my_info->account_len, sizeof(smb_info.AccountName));
memcpy(buf+offsetlen, smb_info.AccountName, tmplen+2);
offsetlen += tmplen+2; // 78
bzero(smb_info.PrimaryDomain, 32);
tmplen = TranUnicode(smb_info.PrimaryDomain, my_info->primarydomain, my_info->primarydomain_len);
tmplen = TranUnicode(smb_info.PrimaryDomain, my_info->primarydomain, my_info->primarydomain_len, sizeof(smb_info.PrimaryDomain));
memcpy(buf+offsetlen, smb_info.PrimaryDomain, tmplen+2);
offsetlen += tmplen+2; // 98
bzero(smb_info.NativeOS, 128);
tmplen = TranUnicode(smb_info.NativeOS, my_info->nativeOS, my_info->nativeOS_len);
tmplen = TranUnicode(smb_info.NativeOS, my_info->nativeOS, my_info->nativeOS_len, sizeof(smb_info.NativeOS));
memcpy(buf+offsetlen, smb_info.NativeOS, tmplen+2);
offsetlen += tmplen+2; // 110
bzero(smb_info.NativeLanMan, 128);
tmplen = TranUnicode(smb_info.NativeLanMan, my_info->nativeLanMan, my_info->nativeLanMan_len);
tmplen = TranUnicode(smb_info.NativeLanMan, my_info->nativeLanMan, my_info->nativeLanMan_len, sizeof(smb_info.NativeLanMan));
memcpy(buf+offsetlen, smb_info.NativeLanMan, tmplen+2);
offsetlen += tmplen+2; //
tmplen = htons(offsetlen-4);
Expand Down
17 changes: 4 additions & 13 deletions release/src/router/networkmap/networkmap.c
View file
Expand Up @@ -998,20 +998,11 @@ int main(int argc, char *argv[])

//Get Router's IP/Mac
strcpy(router_ipaddr, nvram_safe_get("lan_ipaddr"));
#if defined(RTCONFIG_RGMII_BRCM5301X)
strcpy(router_mac, nvram_safe_get("et1macaddr"));
#else
#if defined(RTCONFIG_QCA)
#ifdef RTCONFIG_WIRELESSREPEATER
if(nvram_get_int("sw_mode")==SW_MODE_REPEATER && (mac=getStaMAC())!=NULL)
strlcpy(router_mac, mac, sizeof(router_mac));
else
#endif
strcpy(router_mac, nvram_safe_get("et1macaddr"));
#else
strcpy(router_mac, nvram_safe_get("et0macaddr"));
strcpy(router_mac, get_lan_hwaddr());
#if defined(RTCONFIG_QCA) && defined(RTCONFIG_WIRELESSREPEATER)
if (nvram_get_int("sw_mode") == SW_MODE_REPEATER && (mac = getStaMAC()) != NULL)
strncpy(router_mac, mac, sizeof(router_mac));
#endif
#endif
#ifdef RTCONFIG_GMAC3
if(nvram_match("gmac3_enable", "1"))
strcpy(router_mac, nvram_safe_get("et2macaddr"));
Expand Down

0 comments on commit 773e8cc

Please sign in to comment.