Open gaetronik opened 11 years ago
On Sun, Aug 11, 2013 at 11:38 AM, Gaëtan Duchaussois notifications@github.com wrote:
On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416. I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.
Line 2416 is within void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt)
Which mean that the supplied packet has not link layer header thus this is why the pointer point to the packet it self.
For example in
void DecodeEthPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt)
case ETHERNET_TYPE_IPV6: DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, (cap_len - ETHERNET_HEADER_LEN), p);
You see the correct padding being added.
It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.
If you have a unified2 file that is problematic send it over we will look into it.
-elz
My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.
The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0. An event with a raw IPV6 paquet without an ethernet header will trigger the bug.
Here are the log with a BARNYARD_DEBUG=128 from the crash. Some extra debug messages were addded decode.c:113: Decoding linktype 12 decode.c:2418: Packet! decode.c:2427: IPv6 Raw Packet length 71 decode.c:4307: Generating PseudoIpv6Header! decode.c:4331: Generating PseudoIpv6Header no p->eh! 0x6634c0 0 barnyard2: bounds.h:86: SafeMemcpy: Assertion `0==1' failed.
On Sun, Aug 11, 2013 at 12:07 PM, Gaëtan Duchaussois notifications@github.com wrote:
My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.
The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0.
—
Unified2 files compress really well, and mabey you want to take a look at https://github.com/binf/u2_anon/tree/anon-mask
Also trust that my interest it not in the data it self but in the reliability of barnyard2 thus you can allways send it privately to me at beenph@gmail.com if you want, but it should compress down alot.
Cheers. -elz
I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.
Regards,
Gaëtan
Received, will look into later today and update the issue tracker accordingly.
On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois < notifications@github.com> wrote:
I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.
Regards,
Gaëtan
— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/94#issuecomment-22461499 .
With the file you sent me i am unable to crash anything, do you have a problematic unified2 file?
-elz
On Sun, Aug 11, 2013 at 1:31 PM, beenph beenph@gmail.com wrote:
Received, will look into later today and update the issue tracker accordingly.
On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois < notifications@github.com> wrote:
I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.
Regards,
Gaëtan
— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/94#issuecomment-22461499 .
I have this same issue.
root@localhost:~# barnyard2 -V
__ -> Barnyard2 <- / ,,_ \ Version 2.1.13 (Build 333) DEBUG |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
I can send a u2 log if needed, that I tested via command line with -o to validate the issue persists.
@nrogut, if you could send that u2 file through to me that would be greatly appreciated.
On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416. I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.
It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.