Open linuxmaniac opened 1 week ago
how can ip6f
be NULL and ip_frag != 0 && ip_ver == 6
if we have at https://github.com/irontec/sngrep/blob/master/src/capture.c#L590-L606
#ifdef USE_IPV6
case 6:
ip_hl = sizeof(struct ip6_hdr);
ip_proto = ip6->ip6_nxt;
ip_len = ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen) + ip_hl;
if (ip_proto == IPPROTO_FRAGMENT) {
ip_frag = 1;
ip6f = (struct ip6_frag *) (packet + link_hl + ip_hl);
ip_frag_off = ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK);
ip_id = ntohl(ip6f->ip6f_ident);
}
inet_ntop(AF_INET6, &ip6->ip6_src, src.ip, sizeof(src.ip));
inet_ntop(AF_INET6, &ip6->ip6_dst, dst.ip, sizeof(dst.ip));
break;
#endif
Hi!
Thanks for the report and detailed information of the offending code.
This is quite strange, becaue if ip6f has a NULL value after being assigned, it should have crashed in the next line and not reach that if. Maybe some memory overflow elsewhere between assigment and crashing line updated ip6f or ip_frag?
It would be awesome it this could be reproduced while reading a pcap file (not sure if this happens often enough)
Regards,
this is sngrep v1.8.1 but I think the code is the same in v1.8.2
related code: https://github.com/irontec/sngrep/blob/master/src/capture.c#L685-L687
ip6f is NULL so... :bomb: