Skip to content
Permalink
Browse files Browse the repository at this point in the history
Calculate the reply payload length in a local variable.
Using the same variable for the remaining request length and the reply
length is confusing at best and can cause errors at worst (if the
request had extra stuff at the end, so that the variable is non-zero).

This addresses Include Security issue I8: [libpcap] Remote Packet
Capture Daemon Parameter Reuse.
  • Loading branch information
guyharris committed Sep 30, 2019
1 parent 33834cb commit 617b12c
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions rpcapd/daemon.c
Expand Up @@ -1335,6 +1335,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen)
pcap_if_t *d; // temp pointer needed to scan the interface chain
struct pcap_addr *address; // pcap structure that keeps a network address of an interface
struct rpcap_findalldevs_if *findalldevs_if;// rpcap structure that packet all the data of an interface together
uint32 replylen; // length of reply payload
uint16 nif = 0; // counts the number of interface listed

// Discard the rest of the message; there shouldn't be any payload.
Expand All @@ -1361,17 +1362,19 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen)
return 0;
}

// checks the number of interfaces and it computes the total length of the payload
// This checks the number of interfaces and computes the total
// length of the payload.
replylen = 0;
for (d = alldevs; d != NULL; d = d->next)
{
nif++;

if (d->description)
plen+= strlen(d->description);
replylen += strlen(d->description);
if (d->name)
plen+= strlen(d->name);
replylen += strlen(d->name);

plen+= sizeof(struct rpcap_findalldevs_if);
replylen += sizeof(struct rpcap_findalldevs_if);

for (address = d->addresses; address != NULL; address = address->next)
{
Expand All @@ -1384,7 +1387,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen)
#ifdef AF_INET6
case AF_INET6:
#endif
plen+= (sizeof(struct rpcap_sockaddr) * 4);
replylen += (sizeof(struct rpcap_sockaddr) * 4);
break;

default:
Expand All @@ -1400,7 +1403,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen)
goto error;

rpcap_createhdr((struct rpcap_header *) sendbuf, ver,
RPCAP_MSG_FINDALLIF_REPLY, nif, plen);
RPCAP_MSG_FINDALLIF_REPLY, nif, replylen);

// send the interface list
for (d = alldevs; d != NULL; d = d->next)
Expand Down

0 comments on commit 617b12c

Please sign in to comment.