#143 bpf_filter() crash on 64bit machines with "ip6 protochain"

[Anonymous]

Hi,
there seems to be a bug when using the "ip6 protochain" filter on 64 bit
machines. When "ip6 protochain" is used on a 64 bit machine and a packet
is received that actually has a chain of headers, then libpcap crashes
with a SEGFAULT.
Protochain needs a loop (backwards jump) which is implemented by using a
huge forward jump offset to force an overflow. This works fine with 32
bit pointers, however it fails with 64 bit pointers. Here's the
problematic code from bpf_filter():
case BPF_JMP|BPF_JA:
pc += pc->k;
continue;
Since pc is a 64 bit pointer, adding a large (32 bit) value to it won't
overflow but will make pc point to invalid memory.

I don't know what the best way to fix this would be, but the following
(not heavily tested) snipped forces the jump offset to a signed integer,
which makes the addition signed and the resulting pointer correct:
--- libpcap-1.1.1.orig/bpf/net/bpf_filter.c 2010-08-30
15:28:19.889856950 -0700
+++ libpcap-1.1.1/bpf/net/bpf_filter.c 2010-08-30 15:40:06.133898175 -0700
@@ -405,7 +405,7 @@
continue;
case BPF_JMP|BPF_JA:
- pc += pc->k;
+ pc += (bpf_int32)(pc->k);
continue;
case BPF_JMP|BPF_JGT|BPF_K:

[Guy Harris]

I've checked in a similar fix, but I do it only if neither KERNEL nor _KERNEL are defined; if somebody wants to put bpf_filter.c into their kernel, we *don't* want sign-extension, because we *don't* want backward jumps in the kernel.

[Denis Ovsienko]

Administrators of the "libpcap" SourceForge project have superseded this tracker item (formerly artifact 3082386, now bug 143) with issue 145 of the "libpcap" GitHub project.