drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-26 20:20:53 +03:00
Code Issues Packages Projects Releases Wiki Activity

valgrind: fix passing unitialized bytes to sendto()

Browse Source 
==3801== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==3801==    at 0x49622E2: sendto (in /tmp/debug/lib/libc-2.22.so)
==3801==    by 0x11093D: rawsend (darkmagic.c:1778)
==3801==    by 0x114F47: dpi_desync_tcp_packet_play (desync.c:1021)
==3801==    by 0x117879: dpi_desync_packet_play (desync.c:1645)
==3801==    by 0x117A35: replay_queue (desync.c:1676)
==3801==    by 0x113F44: dpi_desync_tcp_packet_play (desync.c:781)
==3801==    by 0x117879: dpi_desync_packet_play (desync.c:1645)
==3801==    by 0x11797B: dpi_desync_packet (desync.c:1662)
==3801==    by 0x11A045: processPacketData (nfqws.c:106)
==3801==    by 0x11A1C3: nfq_cb (nfqws.c:140)
==3801==    by 0x4846B20: ??? (in /usr/lib/libnetfilter_queue.so.1.3.0)
==3801==    by 0x4851ABD: nfnl_handle_packet (in /usr/lib/libnfnetlink.so.0.2.0)
==3801==  Address 0xbecb2f81 is on thread 1's stack
==3801==  in frame #2, created by dpi_desync_tcp_packet_play (desync.c:478)
==3801==  Uninitialised value was created by a stack allocation
==3801==    at 0x112C35: dpi_desync_tcp_packet_play (desync.c:478)
This commit is contained in:
[anp/hsw] 2024-08-03 20:24:30 +07:00
parent da15c82273
commit 6fca1223b3
1 changed files with 7 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nfq/desync.c
View File

@ -483,7 +483,9 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
struct sockaddr_storage src, dst; struct sockaddr_storage src, dst;
uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100]; uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100];
size_t pkt1_len, pkt2_len; size_t pkt1_len = sizeof(pkt1), pkt2_len;
memset (pkt1, 0, pkt1_len);
uint8_t ttl_orig,ttl_fake = 0, flags_orig = 0,scale_factor = 0; uint8_t ttl_orig,ttl_fake = 0, flags_orig = 0,scale_factor = 0;
uint32_t *timestamps = NULL; uint32_t *timestamps = NULL;
@ -617,7 +619,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
switch (params.desync_mode0) switch (params.desync_mode0)
{ {
case DESYNC_SYNACK: case DESYNC_SYNACK:
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_SYN|TH_ACK, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps, if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_SYN|TH_ACK, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_fake,params.desync_fooling_mode,params.desync_badseq_increment,params.desync_badseq_ack_increment, ttl_fake,params.desync_fooling_mode,params.desync_badseq_increment,params.desync_badseq_ack_increment,
NULL, 0, pkt1, &pkt1_len)) NULL, 0, pkt1, &pkt1_len))
@ -640,7 +641,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
DLOG("received SYN with data payload. syndata desync is not applied.\n"); DLOG("received SYN with data payload. syndata desync is not applied.\n");
break; break;
} }
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps, if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,0,0,0, params.fake_syndata,params.fake_syndata_size, pkt1,&pkt1_len)) ttl_orig,0,0,0, params.fake_syndata,params.fake_syndata_size, pkt1,&pkt1_len))
{ {
@ -897,7 +897,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
uint32_t fooling_orig = FOOL_NONE; uint32_t fooling_orig = FOOL_NONE;
bool b; bool b;
pkt1_len = sizeof(pkt1);
b = false; b = false;
switch(desync_mode) switch(desync_mode)
{ {
@ -976,7 +975,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
desync_mode = params.desync_mode2; desync_mode = params.desync_mode2;
} }
pkt1_len = sizeof(pkt1);
switch(desync_mode) switch(desync_mode)
{ {
case DESYNC_DISORDER: case DESYNC_DISORDER:
@ -1036,7 +1034,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
return verdict; return verdict;
} }
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps, if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment, ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment,
data_payload, split_pos, pkt1, &pkt1_len)) data_payload, split_pos, pkt1, &pkt1_len))
@ -1113,7 +1110,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
} }
if (split_pos<len_payload) if (split_pos<len_payload)
{ {
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, net32_add(tcphdr->th_seq,split_pos), tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps, if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, net32_add(tcphdr->th_seq,split_pos), tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment, ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment,
data_payload+split_pos, len_payload-split_pos, pkt1, &pkt1_len)) data_payload+split_pos, len_payload-split_pos, pkt1, &pkt1_len))
@ -1138,7 +1134,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
size_t ipfrag_pos = (params.desync_ipfrag_pos_tcp && params.desync_ipfrag_pos_tcp<transport_len) ? params.desync_ipfrag_pos_tcp : 24; size_t ipfrag_pos = (params.desync_ipfrag_pos_tcp && params.desync_ipfrag_pos_tcp<transport_len) ? params.desync_ipfrag_pos_tcp : 24;
uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF); uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF);
pkt1_len = sizeof(pkt1);
pkt2_len = sizeof(pkt2); pkt2_len = sizeof(pkt2);
if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT)) if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT))
@ -1206,7 +1201,9 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
struct sockaddr_storage src, dst; struct sockaddr_storage src, dst;
uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100]; uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100];
size_t pkt1_len, pkt2_len; size_t pkt1_len = sizeof(pkt1), pkt2_len;
memset (pkt1, 0, pkt1_len);
uint8_t ttl_orig,ttl_fake; uint8_t ttl_orig,ttl_fake;
if (replay) if (replay)
@ -1433,7 +1430,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
printf("\n"); printf("\n");
} }
pkt1_len = sizeof(pkt1);
b = false; b = false;
switch(desync_mode) switch(desync_mode)
{ {
@ -1493,7 +1489,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
switch(desync_mode) switch(desync_mode)
{ {
case DESYNC_UDPLEN: case DESYNC_UDPLEN:
pkt1_len = sizeof(pkt1);
if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, params.udplen_pattern, sizeof(params.udplen_pattern), params.udplen_increment, data_payload, len_payload, pkt1, &pkt1_len)) if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, params.udplen_pattern, sizeof(params.udplen_pattern), params.udplen_increment, data_payload, len_payload, pkt1, &pkt1_len))
{ {
DLOG("could not construct packet with modified length. too large ?\n"); DLOG("could not construct packet with modified length. too large ?\n");
@ -1518,7 +1513,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
} }
memcpy(pkt2+pkt2_len,data_payload+1,szcopy); memcpy(pkt2+pkt2_len,data_payload+1,szcopy);
pkt2_len+=szcopy; pkt2_len+=szcopy;
pkt1_len = sizeof(pkt1);
if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, NULL, 0 , 0, pkt2, pkt2_len, pkt1, &pkt1_len)) if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, NULL, 0 , 0, pkt2, pkt2_len, pkt1, &pkt1_len))
{ {
DLOG("could not construct packet with modified length. too large ?\n"); DLOG("could not construct packet with modified length. too large ?\n");
@ -1545,7 +1539,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
// freebsd do not set ip.id // freebsd do not set ip.id
uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF); uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF);
pkt1_len = sizeof(pkt1);
pkt2_len = sizeof(pkt2); pkt2_len = sizeof(pkt2);
if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT)) if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT))