On Tue, Jul 14, 2020 at 11:07:24AM +0000, Martin wrote:
> Hi ports@,
>
> security/aircrack-ng coredumped wih malloc set to CF. OpenBSD 6.7-current
>
> # airodump-ng athn0
> airodump-ng(13664) in free(): chunk canary corrupted 0xbb2425f7400 0x2ac@ox2ac
> Abort trap (core dumped)
stsp changed SIOCGIFMEDIA to take a 64-bit integer 5 years ago, so this
was broken since then. The patch below fixes the issue for me.
This was only a matter of compiling with 'make DEBUG="-g -O0"' and
looking at the backtrace to see that it was the free(mwords) call on
line 363 of src/aircrack-osdep/openbsd.c.
(gdb) bt
#0 thrkill () at -:3
#1 0x000008143e665f2e in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#2 0x000008143e66d836 in wrterror (d=0x814b1e9d680,
msg=0x8143e5c83be "chunk canary corrupted %p %#tx@%#zx%s")
at /usr/src/lib/libc/stdlib/malloc.c:300
#3 0x000008143e670b7a in validate_canary (d=<optimized out>, ptr=<optimized
out>,
sz=140187732400336, allocated=<optimized out>) at
/usr/src/lib/libc/stdlib/malloc.c:1047
#4 find_chunknum (d=0x0, info=<optimized out>, ptr=0x0, check=<optimized out>)
at /usr/src/lib/libc/stdlib/malloc.c:1072
#5 0x000008143e66de14 in ofree (argpool=0x7f7ffffddc00, p=0x81460deec00,
clear=0,
check=<optimized out>, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1431
#6 0x000008143e66da80 in free (ptr=0x81460deec00) at
/usr/src/lib/libc/stdlib/malloc.c:1488
#7 0x0000081450bcc621 in do_obsd_open (wi=0x81460ded800, iface=0x81460debda0
"iwm0")
at openbsd.c:363
Index: Makefile
===================================================================
RCS file: /var/cvs/ports/security/aircrack-ng/Makefile,v
retrieving revision 1.30
diff -u -p -r1.30 Makefile
--- Makefile 13 Jun 2020 17:38:49 -0000 1.30
+++ Makefile 14 Jul 2020 11:33:56 -0000
@@ -2,7 +2,7 @@
COMMENT= 802.11 WEP and WPA-PSK keys cracking program
DISTNAME= aircrack-ng-1.5.2
-REVISION= 3
+REVISION= 4
CATEGORIES= security
HOMEPAGE= https://www.aircrack-ng.org/
Index: patches/patch-src_aircrack-osdep_openbsd_c
===================================================================
RCS file:
/var/cvs/ports/security/aircrack-ng/patches/patch-src_aircrack-osdep_openbsd_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-src_aircrack-osdep_openbsd_c
--- patches/patch-src_aircrack-osdep_openbsd_c 13 May 2019 17:15:40 -0000
1.1
+++ patches/patch-src_aircrack-osdep_openbsd_c 14 Jul 2020 11:33:44 -0000
@@ -11,3 +11,21 @@ Index: src/aircrack-osdep/openbsd.c
#undef _KERNEL
#include <net80211/ieee80211_node.h>
#include <net80211/ieee80211_ioctl.h>
+@@ -322,7 +321,7 @@ static int do_obsd_open(struct wif * wi, char * iface)
+ int s;
+ unsigned int flags;
+ struct ifmediareq ifmr;
+- int * mwords;
++ int64_t * mwords;
+ struct priv_obsd * po = wi_priv(wi);
+ unsigned int size = sizeof(po->po_buf);
+
+@@ -353,7 +352,7 @@ static int do_obsd_open(struct wif * wi, char * iface)
+
+ assert(ifmr.ifm_count != 0);
+
+- mwords = (int *) malloc(ifmr.ifm_count * sizeof(int));
++ mwords = calloc(ifmr.ifm_count, sizeof(*mwords));
+ if (!mwords) goto close_sock;
+ ifmr.ifm_ulist = mwords;
+ if (ioctl(s, SIOCGIFMEDIA, &ifmr) == -1)
