Invalid Memcpy call in decode.c leads barnyard2 to crash on some ipv6 events about barnyard2 HOT 8 OPEN

On Sun, Aug 11, 2013 at 11:38 AM, Gaëtan Duchaussois
[email protected] wrote:

On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416.
I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.

Line 2416 is within
void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const
uint8_t * pkt)

Which mean that the supplied packet has not link layer header thus
this is why the pointer point to the packet it self.

For example in

void DecodeEthPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const
uint8_t * pkt)

...

case ETHERNET_TYPE_IPV6:
DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN,
(cap_len - ETHERNET_HEADER_LEN), p);

You see the correct padding being added.

It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.

If you have a unified2 file that is problematic send it over we will
look into it.

-elz

from barnyard2.

My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.

The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0. An event with a raw IPV6 paquet without an ethernet header will trigger the bug.

Here are the log with a BARNYARD_DEBUG=128 from the crash. Some extra debug messages were addded
decode.c:113: Decoding linktype 12
decode.c:2418: Packet!
decode.c:2427: IPv6 Raw Packet length 71
decode.c:4307: Generating PseudoIpv6Header!
decode.c:4331: Generating PseudoIpv6Header no p->eh! 0x6634c0 0
barnyard2: bounds.h:86: SafeMemcpy: Assertion `0==1' failed.

from barnyard2.

On Sun, Aug 11, 2013 at 12:07 PM, Gaëtan Duchaussois
[email protected] wrote:

My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.

The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0.

—

Unified2 files compress really well, and mabey you want to take a look
at https://github.com/binf/u2_anon/tree/anon-mask

Also trust that my interest it not in the data it self but in the
reliability of barnyard2 thus you can allways send it privately to me
at [email protected]
if you want, but it should compress down alot.

Cheers.
-elz

from barnyard2.

I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.

Regards,

Gaëtan

from barnyard2.

Received, will look into later today and update the issue tracker
accordingly.

On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois <
[email protected]> wrote:

I sent you the file on your email. It might have be caught by your spam
filter so please me if you did not receive it.

Regards,

Gaëtan

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/94#issuecomment-22461499
.

from barnyard2.

With the file you sent me i am unable to crash anything, do you have a
problematic unified2 file?

-elz

On Sun, Aug 11, 2013 at 1:31 PM, beenph [email protected] wrote:

Received, will look into later today and update the issue tracker
accordingly.

On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois <
[email protected]> wrote:

I sent you the file on your email. It might have be caught by your spam
filter so please me if you did not receive it.

Regards,

Gaëtan

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/94#issuecomment-22461499
.

from barnyard2.

I have this same issue.

root@localhost:~# barnyard2 -V

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.13 (Build 333) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/

• '''' + (C) Copyright 2008-2013 Ian Firns [email protected]

I can send a u2 log if needed, that I tested via command line with -o to validate the issue persists.

from barnyard2.

@nrogut, if you could send that u2 file through to me that would be greatly appreciated.

from barnyard2.