ShapPcap cannot handle virtual interfaces with 16 byte hardware addresses

dotpcap / sharppcap

Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets

1.31k stars 267 forks source link

ShapPcap cannot handle virtual interfaces with 16 byte hardware addresses #518

Open landerverhacklansweeper opened 1 month ago

landerverhacklansweeper commented 1 month ago

I came across this issue when using a device that has a virtual interface for tunneling. The hardware address is 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00. This causes issues in the Sockaddr class since the buffer provided is only 8 bytes in length.

I don't know what to make of this. Should we ignore such interfaces? should we just trim it, to hold just 8 bytes? the hardware address doesn't seem to be useful anyway.

What is certain, is that SharpPcap chrashes when such a device interface is present.

kayoub5 commented 1 month ago

@landerverhacklansweeper a PR is welcome

Question: what type does the socket address have?

landerverhacklansweeper commented 1 month ago

I added this code in the SockAddr constructor

Console.WriteLine($"Sockaddr ctor sll_addr length:{saddr_ll.sll_addr.Length} hwAddrBytes length:{hwAddrBytes.Length}");
if (hwAddrBytes.Length > 6)
{
    Console.WriteLine($"type {saddr_ll.sll_hatype}");
    Console.WriteLine($"protocol {saddr_ll.sll_protocol}");
    Console.WriteLine($"ifindex {saddr_ll.sll_ifindex}");
    Console.WriteLine($"pkttype {saddr_ll.sll_pkttype}");
    Console.WriteLine($"family {saddr_ll.sll_family}");
}

result:

Sockaddr ctor sll_addr length:8 hwAddrBytes length:16
type 769
protocol 0
ifindex 5
pkttype 0
family 17

kayoub5 commented 1 month ago

@landerverhacklansweeper what actual error are you getting in the crash? could you provide the stack trace ?

Is this happening in Windows or Linux?

landerverhacklansweeper commented 1 month ago

The error occurs in Linux (a proprietary version of Red Hat, ARM64). The exact location is here.

Buffer.BlockCopy(saddr_ll.sll_addr, 0, hwAddrBytes, 0, hwAddrBytes.Length);

Causes an out of range exception, since hwAddrBytes.Length is 16 while saddr_ll.sll_addr is a byte[] with length 8. (see PcapUnmanagedStructures)

If you still want the exact stacktrace, I can provide it to you once I get my hands on the same device.

Currently I circumvented the problem by adding

Buffer.BlockCopy(saddr_ll.sll_addr, 0, hwAddrBytes, 0, Math.Min(hwAddrBytes.Length,8));

Since the address is non-sensical anyway.