dhcpcd-discuss

   I have seen a __memcpy_chk() detected buffer over flow crash occur twice using version 7.1.0

The crash occurs in arp.c in the arp_packet() function during probing of a new address.

The line is the last memcpy in that routine where it is attempting to copy the target ip address from the arp packet into a

internal structure.  I noticed this routine use to have some bounds checking at the top that has been commented out for a long

time.   The comment says the BPF filters does this work now.


I tried to verify the bpf filter is really doing this work and noticed a few things that look odd.


bpf.c : bfp_arp_filter []


   /* Make sure this is an ARP REQUEST. */
        BPF_STMT(BPF_LD + BPF_H + BPF_IND, offsetof(struct arphdr, ar_op)),
        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REQUEST, 2, 0),
        /* or ARP REPLY. */
        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ARPOP_REPLY, 1, 1),
        BPF_STMT(BPF_RET + BPF_K, 0),
  /* Make sure the protocol length matches. */
        BPF_STMT(BPF_LD + BPF_B + BPF_IND, offsetof(struct arphdr, ar_pln)),
        BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, sizeof(in_addr_t), 1, 0),
        BPF_STMT(BPF_RET + BPF_K, 0),

It looks like it intended to only let ARP_REQUEST and ARP_REPLY's through the filter but the  1,1 after the REPLY would
let anything through this check.

Also in the installer routine bfp_arp(...) the structure at the top used to hold the built up the filter does not take into account the
bfp_arp_ether array that is copied in first.

struct bpf_insn bpf[3+ bpf_arp_filter_len + bpf_arp_hw + bpf_arp_extra];

It looks like we would always overflow this stack buffer.  I don't know if the filter would get installed as intended if that is happening.

The crash is very rare.  I have no idea how to make it happen on demand.
Looking for thoughts on the crash and my bpf code observations.

Thanks
Ken