Comments (8)
On Sun, Aug 11, 2013 at 11:38 AM, Gaëtan Duchaussois
[email protected] wrote:
On https://github.com/firnsy/barnyard2/blob/master/src/decode.c#L4328 SafeMemCpy is called with a length of (pkt - p->pkt). But this function is called on line 2427 with pkt=p->pkt asset on line 2416.
I'm not sure how to fix this, it might seems logical to copy whole packet but it will not be coherent with SafeMemCpy call on line 4315 (where by the way does not seems correct since the start parameter should be pseudopacket_buf + SPARC_TWIDDLE the end should be pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN if understand well how SafeMemCpy works.
Line 2416 is within
void DecodeRawPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const
uint8_t * pkt)
Which mean that the supplied packet has not link layer header thus
this is why the pointer point to the packet it self.
For example in
void DecodeEthPkt(Packet * p, const struct pcap_pkthdr * pkthdr, const
uint8_t * pkt)
...
case ETHERNET_TYPE_IPV6:
DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN,
(cap_len - ETHERNET_HEADER_LEN), p);
You see the correct padding being added.
It somehow critical since a attacker can make barnyards crash if he makes a program write an event in a unifed2 file flowing through this part of code. For example suricata can write such an event.
If you have a unified2 file that is problematic send it over we will
look into it.
-elz
from barnyard2.
My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.
The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0. An event with a raw IPV6 paquet without an ethernet header will trigger the bug.
Here are the log with a BARNYARD_DEBUG=128 from the crash. Some extra debug messages were addded
decode.c:113: Decoding linktype 12
decode.c:2418: Packet!
decode.c:2427: IPv6 Raw Packet length 71
decode.c:4307: Generating PseudoIpv6Header!
decode.c:4331: Generating PseudoIpv6Header no p->eh! 0x6634c0 0
barnyard2: bounds.h:86: SafeMemcpy: Assertion `0==1' failed.
from barnyard2.
On Sun, Aug 11, 2013 at 12:07 PM, Gaëtan Duchaussois
[email protected] wrote:
My unfied File is over 100MB and may contain private data. If you have any program to extract just an event in an unified2 file and write it to another i will gladly share the file with this event only.
The line 2416 is followed by the call to IPv6Decode on line 2427 and then it tries to make a SafeMemCpy with a length of 0.
—
Unified2 files compress really well, and mabey you want to take a look
at https://github.com/binf/u2_anon/tree/anon-mask
Also trust that my interest it not in the data it self but in the
reliability of barnyard2 thus you can allways send it privately to me
at [email protected]
if you want, but it should compress down alot.
Cheers.
-elz
from barnyard2.
I sent you the file on your email. It might have be caught by your spam filter so please me if you did not receive it.
Regards,
Gaëtan
from barnyard2.
Received, will look into later today and update the issue tracker
accordingly.
On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois <
[email protected]> wrote:
I sent you the file on your email. It might have be caught by your spam
filter so please me if you did not receive it.Regards,
Gaëtan
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/94#issuecomment-22461499
.
from barnyard2.
With the file you sent me i am unable to crash anything, do you have a
problematic unified2 file?
-elz
On Sun, Aug 11, 2013 at 1:31 PM, beenph [email protected] wrote:
Received, will look into later today and update the issue tracker
accordingly.On Sun, Aug 11, 2013 at 1:27 PM, Gaëtan Duchaussois <
[email protected]> wrote:I sent you the file on your email. It might have be caught by your spam
filter so please me if you did not receive it.Regards,
Gaëtan
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/94#issuecomment-22461499
.
from barnyard2.
I have this same issue.
root@localhost:~# barnyard2 -V
______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.13 (Build 333) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
- '''' + (C) Copyright 2008-2013 Ian Firns [email protected]
I can send a u2 log if needed, that I tested via command line with -o to validate the issue persists.
from barnyard2.
@nrogut, if you could send that u2 file through to me that would be greatly appreciated.
from barnyard2.
Related Issues (20)
- Barnyard2 2.1.13 sending alerts to remote syslog server.
- Need for a release for all distributions
- Will not compile with libpcap.1.9.0 HOT 20
- unable to write to the mysql database HOT 2
- Barnyard2 can't record to count event.
- Make command gives error in Barnyard2 compile HOT 1
- Error: There's no second layer header available for this datalink. HOT 1
- barnyard2 not read new spool file HOT 3
- ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ && make && make install;mysql8.0 HOT 2
- Compilation error
- BASE not getting Updated
- mysql Fatal Error: Duplicate key HOT 10
- problem in ipv6 storage
- barnyard2 u2 alert_fast using GRE IP, not encapsulated IP.
- Change the output database
- HELP ME , how i can make barnyard2 HOT 1
- ./configure: line 14409: syntax error near unexpected token `0.9.6,'
- Can't make barnyard2 due to missing glsl link
- Unable to compile in ODBC HOT 1
- MariaDB fixed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from barnyard2.