Bug#616355: Segmentation fault with simple rules.

[Mats Erik Andersson]

Package: tcpspy
Version: 1.7d-4
Severity: important
Tags: patch

It is very simply to generate a segmentation fault with this software:

   tcpspy -d -e 'raddr 192.168.0.0/255.255.255.0'

and then a telnet call! The cause is a stack underrun, a pop command
on an empty stack causes the address exception.

The underlying problem is that a simple (singleton) rule still causes
a bytecode BC_OR onto the stack, forcing the evaluation engine to
continue where is really should finalize execution. The best remedy
seems to be the push of an initial FALSE onto the emptt stack.
That can never hurt any evaluation. Do not be fooled by the correct
evaluation of

   tcpspy -d -e 'raddr 192.168.0.1 or raddr 10.1.2.3.4'

since then the binary relation BC_OR is indeed correct.

My patch also suggests a slight alteration to matching with non-trivial
netmasks:

    raddr 192.168.0.123/255.255.255.192

is now able to catch traffic, without the need for manual calculating
the reduction of '192.168.0.123' modulo '255.255.255.192'. It is an
unneccesary pain to to this by hand. Computers should do that for us.

Best regards,
  Mats Erik Andersson, DM

Description: Recover from stack underflow fault.
 When applied with a single rule like
   tcpspy -e 'raddr 10.1.2.3'
 an incorrect bytecode BC_OR is still put on the stack.
 This causes the rule traversal to pop an empty stack,
 thus causing a segmentation fault. The good remedy is
 initially to push a FALSE onto the empty stack, serving
 as a guard against a later evaluation. Composite rules
   tcpspy -e 'raddr 10.1.2.3 and laddr 10.1.2.33'
 are never causing this segfault.
 .
 In addition, to simplify for the user, the netmask
 is applied to both addresses, the observed address
 and the stored address. This avoids false negatives
 due to miscalculation by the administrator.
Author: Mats Erik Andersson <deb...@gisladisker.se>
Forwarded: no
Last-Update: 2011-03-03

diff -Naur tcpspy-1.7d.debian/rule.c tcpspy-1.7d/rule.c
--- tcpspy-1.7d.debian/rule.c	2002-01-25 02:00:50.000000000 +0100
+++ tcpspy-1.7d/rule.c	2011-03-03 18:35:44.000000000 +0100
@@ -293,6 +293,8 @@
 	static size_t stack_size = 0, stack_ptr = 0;
 
 	stack_ptr = 0;
+	PUSH(0);	/* Put a single FALSE onto the stack. This protects
+			 * against a segfault caused by simple rules. */
 
 	for (ip = 0; ip < code_length; ) {
 		c = NEXTCODE;
@@ -360,7 +362,7 @@
 
 				SHORTCIRCUIT;
 
-				PUSH (((mladdr & mask) == addr) ? 1 : 0);
+				PUSH (((mladdr & mask) == (addr & mask)) ? 1 : 0);
 				}
 				break;	
 			case BC_RADDR:
@@ -375,7 +377,7 @@
 
 				SHORTCIRCUIT;
 
-				PUSH (((mraddr & mask) == addr) ? 1 : 0);
+				PUSH (((mraddr & mask) == (addr & mask)) ? 1 : 0);
 				}
 				break;	
 

signature.asc
Description: Digital signature