On Tue, Jul 14, 2020 at 01:58:12PM +0200, Theo Buehler wrote: > On Tue, Jul 14, 2020 at 11:07:24AM +0000, Martin wrote: > > Hi ports@, > > > > security/aircrack-ng coredumped wih malloc set to CF. OpenBSD 6.7-current > > > > # airodump-ng athn0 > > airodump-ng(13664) in free(): chunk canary corrupted 0xbb2425f7400 > > 0x2ac@ox2ac > > Abort trap (core dumped) > > stsp changed SIOCGIFMEDIA to take a 64-bit integer 5 years ago, so this > was broken since then. The patch below fixes the issue for me. > > This was only a matter of compiling with 'make DEBUG="-g -O0"' and > looking at the backtrace to see that it was the free(mwords) call on > line 363 of src/aircrack-osdep/openbsd.c. > > (gdb) bt > #0 thrkill () at -:3 > #1 0x000008143e665f2e in _libc_abort () at > /usr/src/lib/libc/stdlib/abort.c:51 > #2 0x000008143e66d836 in wrterror (d=0x814b1e9d680, > msg=0x8143e5c83be "chunk canary corrupted %p %#tx@%#zx%s") > at /usr/src/lib/libc/stdlib/malloc.c:300 > #3 0x000008143e670b7a in validate_canary (d=<optimized out>, ptr=<optimized > out>, > sz=140187732400336, allocated=<optimized out>) at > /usr/src/lib/libc/stdlib/malloc.c:1047 > #4 find_chunknum (d=0x0, info=<optimized out>, ptr=0x0, check=<optimized > out>) > at /usr/src/lib/libc/stdlib/malloc.c:1072 > #5 0x000008143e66de14 in ofree (argpool=0x7f7ffffddc00, p=0x81460deec00, > clear=0, > check=<optimized out>, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1431 > #6 0x000008143e66da80 in free (ptr=0x81460deec00) at > /usr/src/lib/libc/stdlib/malloc.c:1488 > #7 0x0000081450bcc621 in do_obsd_open (wi=0x81460ded800, iface=0x81460debda0 > "iwm0") > at openbsd.c:363
Sorry, I had the wrong type. It should be an uint64_t, not an int64_t. Index: Makefile =================================================================== RCS file: /var/cvs/ports/security/aircrack-ng/Makefile,v retrieving revision 1.30 diff -u -p -r1.30 Makefile --- Makefile 13 Jun 2020 17:38:49 -0000 1.30 +++ Makefile 14 Jul 2020 11:58:25 -0000 @@ -2,7 +2,7 @@ COMMENT= 802.11 WEP and WPA-PSK keys cracking program DISTNAME= aircrack-ng-1.5.2 -REVISION= 3 +REVISION= 4 CATEGORIES= security HOMEPAGE= https://www.aircrack-ng.org/ Index: patches/patch-src_aircrack-osdep_openbsd_c =================================================================== RCS file: /var/cvs/ports/security/aircrack-ng/patches/patch-src_aircrack-osdep_openbsd_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-src_aircrack-osdep_openbsd_c --- patches/patch-src_aircrack-osdep_openbsd_c 13 May 2019 17:15:40 -0000 1.1 +++ patches/patch-src_aircrack-osdep_openbsd_c 14 Jul 2020 12:06:49 -0000 @@ -11,3 +11,21 @@ Index: src/aircrack-osdep/openbsd.c #undef _KERNEL #include <net80211/ieee80211_node.h> #include <net80211/ieee80211_ioctl.h> +@@ -322,7 +321,7 @@ static int do_obsd_open(struct wif * wi, char * iface) + int s; + unsigned int flags; + struct ifmediareq ifmr; +- int * mwords; ++ uint64_t * mwords; + struct priv_obsd * po = wi_priv(wi); + unsigned int size = sizeof(po->po_buf); + +@@ -353,7 +352,7 @@ static int do_obsd_open(struct wif * wi, char * iface) + + assert(ifmr.ifm_count != 0); + +- mwords = (int *) malloc(ifmr.ifm_count * sizeof(int)); ++ mwords = calloc(ifmr.ifm_count, sizeof(*mwords)); + if (!mwords) goto close_sock; + ifmr.ifm_ulist = mwords; + if (ioctl(s, SIOCGIFMEDIA, &ifmr) == -1)
