Oleh Derevenko(deleted)
|
Are all sizes validated in QNet?
|
Oleh Derevenko(deleted)
11/19/2011 7:00 AM
post90198
|
Are all sizes validated in QNet?
Hi!
This relates to QNX 6.3.0SP3. So, I don't know if in current version things are different or not, but just FYI.
I've been investigating a crash of io-net which happened after ~7 days of running an application test.
Program terminated on signal 11 with following call stack
#0 0xb8216e28 in l4_crc32 () from /usr/qnx630/target/qnx6/x86/lib/dll/npm-qnet-l4_lite.so
#1 0xb821cfa4 in l4_rx () from /usr/qnx630/target/qnx6/x86/lib/dll/npm-qnet-l4_lite.so
#2 0xb8218435 in ?? () from /usr/qnx630/target/qnx6/x86/lib/dll/npm-qnet-l4_lite.so
Looking in l4_crc32 disassembler dump in GDB I could assume it was accessing data via first IOV element. Luckily, the
IOV was still available in stack frame
(gdb) x /2x 0x07f93d88
0x7f93d88: 0x0807a66c 0xeef3f024
As you can see the base is valid but the size is a junk. So, the question is if QNet extracts some payload sizes from
packet data, does the code validate those sizes to not exceed packet boundaries?
Here is the dump of first 128 bytes of packet (obtained by IOV element's base) in core file.
0x807a65c: 0x00 0x01 0x05 0x01 0x65 0x28 0x00 0x15
0x807a664: 0x5d 0x0a 0xdd 0x01 0x82 0x04 0x00 0x00
0x807a66c: 0x2a 0x02 0x07 0x00 0x20 0x00 0x16 0x00
0x807a674: 0x33 0x06 0x00 0x00 0x05 0x00 0x00 0x00
0x807a67c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x807a684: 0x00 0x00 0xf3 0xee 0x00 0xf0 0xf3 0xee
0x807a68c: 0x00 0x00 0x00 0x00 0x00 0xf0 0xf3 0xee
0x807a694: 0x00 0xf0 0xf3 0xee 0x00 0xf0 0x54 0xff
0x807a69c: 0x00 0xf0 0xbf 0x00 0x00 0xf0 0x67 0x00
0x807a6a4: 0x00 0xf0 0xa5 0xfe 0x00 0xf0 0x87 0xe9
0x807a6ac: 0x00 0xf0 0xf3 0xee 0x00 0xf0 0xf3 0xee
0x807a6b4: 0x00 0xf0 0xf3 0xee 0x00 0xf0 0xf3 0xee
0x807a6bc: 0x00 0xf0 0x57 0xef 0x00 0xf0 0x53 0xff
0x807a6c4: 0x00 0xf0 0x48 0x11 0x00 0xc8 0x4d 0xf8
0x807a6cc: 0x00 0xf0 0x41 0xf8 0x00 0xf0 0x58 0x15
0x807a6d4: 0x00 0xf0 0x39 0xe7 0x00 0xf0 0x59 0xf8
|
|
|