search

wangyu- / udp2raw

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)
MIT License
7.16k stars 1.16k forks source link

Some buffer overflow issues #435

Closed firmianay closed 11 months ago

firmianay commented 2 years ago

hi, great project!

  1. The program has a buffer overflow problem that may not exist in reality when parsing the command line parameter "-k, --key"
int my_init_keys(const char * user_passwd,int is_client)
{
    char tmp[1000]="";
    int len=strlen(user_passwd);

    strcat(tmp,user_passwd);

    strcat(tmp,"key1");
[2022-07-07 15:57:34][INFO]remote_ip=[127.0.0.1], make sure this is a vaild IP address
[2022-07-07 15:57:34][INFO]const_id:8e6c177a
*** buffer overflow detected ***: terminated
[1]    573646 abort (core dumped)  ./udp2raw -c -l 127.0.0.1:80 -r 127.0.0.1:80 -k
  1. command line parameter -l or -r will make ip_addr_str overflow. 
    int address_t::from_str(char *str)
{
char ip_addr_str[100];u32_t port;
mylog(log_info,"parsing address: %s\n",str);
int is_ipv6=0;
...
else if(sscanf(str, "%[^:]:%u", ip_addr_str,&port)==2)
{
    mylog(log_info,"its an ipv4 adress\n");
    inner.ipv4.sin_family=AF_INET;
}
HiGarfield commented 2 years ago

limit the lenth of each token in sscanf

see https://github.com/HiGarfield/udp2raw/blob/f3127d77798d239fddf5ebb46b2c9d1eac83f6e5/common.cpp#L18

wangyu- commented 2 years ago

Those two function only parses local parameters which are input by you locally. They never parse parameters from the internet.

So I guess that's not a big deal?

firmianay commented 2 years ago

Yes, it's not a big problem right now, but it leaves a hidden danger if in the future when the function is used to resolve addresses from outside there will be problems, so it is recommended to fix this little bug to avoid future problems.