main/tcpflow/CVE-2018-18409.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

From 89c04b4fb0e46b3c4f1388686e83966e531cbea9 Mon Sep 17 00:00:00 2001
From: "Simson L. Garfinkel" <simsong@acm.org>
Date: Sat, 20 Oct 2018 07:31:32 -0400
Subject: [PATCH] fixed theoretical stack overflow identified in #195)

---
 src/iptree.h | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/iptree.h b/src/iptree.h
index 6332e8e..6abf25b 100644
--- a/src/iptree.h
+++ b/src/iptree.h
@@ -241,8 +241,10 @@ private:;
         return (addr[i / 8]) & (1<<((7-i)&7));
     }
     /* set the ith bit to 1 */
-    static void setbit(uint8_t *addr,size_t i){
-        addr[i / 8] |= (1<<((7-i)&7));
+    static void setbit(uint8_t *addr,size_t addr, size_t i){
+        if ( i/8 < addr) {
+            addr[i / 8] |= (1<<((7-i)&7));
+        }
     }
     
     virtual ~iptreet(){}                // required per compiler warnings
@@ -388,7 +390,8 @@ private:;
         uint8_t addr1[ADDRBYTES];
         
         memset(addr0,0,sizeof(addr0)); memcpy(addr0,addr,(depth+7)/8);
-        memset(addr1,0,sizeof(addr1)); memcpy(addr1,addr,(depth+7)/8); setbit(addr1,depth);
+        memset(addr1,0,sizeof(addr1)); memcpy(addr1,addr,(depth+7)/8);
+        setbit(addr1,sizeof(addr1),depth);
         
         if(ptr->ptr0) get_histogram(depth+1,addr0,ptr->ptr0,histogram);
         if(ptr->ptr1) get_histogram(depth+1,addr1,ptr->ptr1,histogram);
@@ -527,8 +530,10 @@ class ip2tree:public iptreet<uint64_t,32> {
     /* de-interleave a pair of addresses */
     static void un_pair(uint8_t *addr1,uint8_t *addr2,size_t addr12len,size_t *depth1,size_t *depth2,const uint8_t *addr,size_t addrlen,size_t depth){
         for(size_t i=0;i<addrlen*8/2;i++){
-            if(iptreet<uint64_t,32>::bit(addr,i*2))   iptreet<uint64_t,32>::setbit(addr1,i);
-            if(iptreet<uint64_t,32>::bit(addr,i*2+1)) iptreet<uint64_t,32>::setbit(addr2,i);
+            if(iptreet<uint64_t,32>::bit(addr,i*2))
+                iptreet<uint64_t,32>::setbit(addr1,sizeof(addr1),i);
+            if(iptreet<uint64_t,32>::bit(addr,i*2+1))
+                iptreet<uint64_t,32>::setbit(addr2,sizeof(addr2),i);
         }
         *depth1 = (depth+1)/2;
         *depth2 = (depth)/2;
@@ -563,8 +568,10 @@ class ip2tree:public iptreet<uint64_t,32> {
         memset(addr,0,sizeof(addr));
         /* Interleave on the bit by bit level */
         for(size_t i=0;i<addrlen*8;i++){
-            if(iptreet<uint64_t,32>::bit(addr1,i)) iptreet<uint64_t,32>::setbit(addr,i*2);
-            if(iptreet<uint64_t,32>::bit(addr2,i)) iptreet<uint64_t,32>::setbit(addr,i*2+1);
+            if(iptreet<uint64_t,32>::bit(addr1,i))
+                iptreet<uint64_t,32>::setbit(addr,sizeof(addr),i*2);
+            if(iptreet<uint64_t,32>::bit(addr2,i))
+                iptreet<uint64_t,32>::setbit(addr,sizeof(addr),i*2+1);
         }
         add(addr,addrlen*2,val); /* Add it */
     }
From f4097c7c99ebb7b54d93a426016840072946c410 Mon Sep 17 00:00:00 2001
From: "Simson L. Garfinkel" <simsong@acm.org>
Date: Wed, 21 Nov 2018 17:57:12 -0600
Subject: [PATCH] fixed sizeof(addr1) and sizeof(addr2) error in un_pair

---
 src/iptree.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/iptree.h b/src/iptree.h
index 2c717db..0ddfa14 100644
--- a/src/iptree.h
+++ b/src/iptree.h
@@ -530,9 +530,9 @@ class ip2tree:public iptreet<uint64_t,32> {
     static void un_pair(uint8_t *addr1,uint8_t *addr2,size_t addr12len,size_t *depth1,size_t *depth2,const uint8_t *addr,size_t addrlen,size_t depth){
         for(size_t i=0;i<addrlen*8/2;i++){
             if(iptreet<uint64_t,32>::bit(addr,i*2))
-                iptreet<uint64_t,32>::setbit(addr1,sizeof(addr1),i);
+                iptreet<uint64_t,32>::setbit(addr1, addr12len, i);
             if(iptreet<uint64_t,32>::bit(addr,i*2+1))
-                iptreet<uint64_t,32>::setbit(addr2,sizeof(addr2),i);
+                iptreet<uint64_t,32>::setbit(addr2, addr12len, i);
         }
         *depth1 = (depth+1)/2;
         *depth2 = (depth)/2;
From 0e96c3578a79c41eab1e597ccd38e1c612b47810 Mon Sep 17 00:00:00 2001
From: "Simson L. Garfinkel" <simsong@acm.org>
Date: Sun, 18 Nov 2018 16:29:57 -0500
Subject: [PATCH] updated to 1.5.1; added -Wno-address-of-packed-member; fixed
 compile errors accidentally introduced.

---
 ChangeLog       |  4 ++++
 configure.ac    |  7 ++++++-
 src/iptree.h    |  4 ++--
 src/tcpflow.cpp | 10 ++++++++++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b0682c1..860ec23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2018-11-18 Simson Garfinkel <simsong@acm.org>
+	* updated for pcap_findalldevs
+	* added -Wno-address-of-packed-member to avoid error
+	
 2017-07-12 Simson Garfinkel <simsong@acm.org>
 	* updated to work with Fedora 26 compilers
 	* Found bug in sbuf.cpp
diff --git a/configure.ac b/configure.ac
index fc48b63..866417e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7,7 +7,7 @@
 # and http://www.openismus.com/documents/linux/automake/automake.shtml 
 
 AC_PREREQ(2.57)
-AC_INIT(TCPFLOW, 1.5.0, simsong@acm.org)
+AC_INIT(TCPFLOW, 1.5.1, simsong@acm.org)
 AC_CONFIG_MACRO_DIR([m4])
 
 AC_CONFIG_FILES([Makefile src/Makefile tests/Makefile doc/Makefile])
@@ -70,6 +70,10 @@ case $host in
      LDFLAGS="$LDFLAGS --static"
      mingw="yes"
      ;;		 		     
+
+   *)
+     CXXFLAGS="$CXXFLAGS -Wno-address-of-packed-member"
+     ;;
 esac
 
 if test x"${mingw}" == "xno" ; then
@@ -348,6 +352,7 @@ located.])
         Mmissing_library="$Mmissing_library libpcap "
     ])
 fi
+AC_CHECK_FUNCS([pcap_findalldevs])
 
 dnl set with_wifi to 0 if you do not want it
 AC_ARG_ENABLE([wifi],
diff --git a/src/iptree.h b/src/iptree.h
index 6abf25b..5732dbc 100644
--- a/src/iptree.h
+++ b/src/iptree.h
@@ -241,8 +241,8 @@ private:;
         return (addr[i / 8]) & (1<<((7-i)&7));
     }
     /* set the ith bit to 1 */
-    static void setbit(uint8_t *addr,size_t addr, size_t i){
-        if ( i/8 < addr) {
+    static void setbit(uint8_t *addr,size_t addrlen, size_t i){
+        if ( i/8 < addrlen) {
             addr[i / 8] |= (1<<((7-i)&7));
         }
     }
diff --git a/src/tcpflow.cpp b/src/tcpflow.cpp
index d85dff6..004107f 100644
--- a/src/tcpflow.cpp
+++ b/src/tcpflow.cpp
@@ -461,9 +461,19 @@ static int process_infile(tcpdemux &demux,const std::string &expression,const ch
     } else {
 	/* if the user didn't specify a device, try to find a reasonable one */
 	if (device == NULL){
+#ifdef HAVE_PCAP_FINDALLDEVS
+            char errbuf[PCAP_ERRBUF_SIZE];
+            pcap_if_t *alldevs = 0;
+            if (pcap_findalldevs(&alldevs,errbuf)){
+		die("%s", errbuf);
+	    }
+            device=strdup(alldevs[0].name);
+            pcap_freealldevs(alldevs);
+#else
 	    if ((device = pcap_lookupdev(error)) == NULL){
 		die("%s", error);
 	    }
+#endif
 	}
 
 	/* make sure we can open the device */