[Winpcap-bugs] RE: Crash in pcap_open when using incorrect flag

Mark Bednarczyk voytechs at yahoo.com
Thu Aug 9 21:05:45 GMT 2007 

I attached a small C++ program that I used to isolate this case.

This is not normal behaviour to provide incorrect flags like this. jNetPcap
is a java wrapper that forwards calls from java to native winpcap library.
But I do test for incorrect usage of the API (from java side.) Its only by
error would a user supply this combination to cause a crash. Since this is
run under Java VM it causes the entire Java VM to crash in a very nasty way.
So it needs to be fixed. I already implemented a fix on my end and my
wrapper catches this error before ever passing it on to pcap_open. 


And here is my wrapper's open method. Much more involved obviously, but you
can see the fix I did in it to catch this:


/*
 * Class:     org_jnetpcap_winpcap_WinPcap
 * Method:    open
 * Signature:
(Ljava/lang/String;IIILorg/jnetpcap/winpcap/WinPcapRmtAuth;Ljava/lang/String
Builder;)Lorg/jnetpcap/winpcap/WinPcap;
 */
JNIEXPORT jobject JNICALL
Java_org_jnetpcap_winpcap_WinPcap_open
(JNIEnv *env, jclass clazz, jstring jsource, jint jsnaplen, jint jflags,
		jint jtimeout, jobject jauth, jobject jerrbuf) {

	if (jsource == NULL || jerrbuf == NULL) {
		throwException(env, NULL_PTR_EXCEPTION, NULL);
		return NULL;
	}

	char errbuf[PCAP_ERRBUF_SIZE];
	errbuf[0] = '\0'; // Reset the buffer;

	char *source = (char *) env->GetStringUTFChars(jsource, 0);

#ifndef DONT_FIX_WINPCAP_BUGS
	/*
	 * 2007-08-09 - Mark Bednarczyk
	 * There is a bug in WinPcap where flags | 8 == 8 or flag | 16 == 16
and the 
	 * device name is wrong (pcap_open_live would fail), wpdpack doesn't
catch 
	 * it and crashes. We need to test for valid device name for IFLOCAL
type 
	 * ourselves.
	 */
	char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE], name[PCAP_BUF_SIZE];
	int type = 0;
	if (pcap_parsesrcstr(source, &type, host, port, name, errbuf) == -1)
{
		setString(env, jerrbuf, errbuf); // Even if no error, could
have warning msg
		return NULL; // error already set in errbuf
	}

	if (type == PCAP_SRC_IFLOCAL) {
		int flags = (int) jflags;
		pcap_t *temp = pcap_open_live(
				name,
				(int) jsnaplen,
				(flags & PCAP_OPENFLAG_PROMISCUOUS),
				(int) jtimeout,
				errbuf);

		if (temp == NULL) {
			env->ReleaseStringUTFChars(jsource, source);
			setString(env, jerrbuf, errbuf); // Even if no
error, could have warning msg
			return NULL; // error already set in errbuf
		} else {
			pcap_close(temp); // Close it, and let the call pass
through
		}
	}
#endif

	pcap_rmtauth buf;
	pcap_rmtauth *auth = (jauth != NULL)?getWinPcapRmtAuth(env, jauth,
&buf):NULL;

	pcap_t * p = pcap_open(source, (int)jsnaplen, (int) jflags, (int)
jtimeout,
			NULL, errbuf);
	setString(env, jerrbuf, errbuf); // Even if no error, could have
warning msg
	env->ReleaseStringUTFChars(jsource, source);

	if (p == NULL) {
		return NULL;
	}

	/*
	 * Use a no-arg constructor and initialize 'physical' field using
	 * special JNI priviledges.
	 */
	jobject obj = env->NewObject(clazz, winPcapConstructorMID);
	setPhysical(env, obj, toLong(p));

	return obj;
}


I have a wrapper function around all of the libpcap and winpcap calls.

Javadoc:
http://jnetpcap.sourceforge.net/docs/jnetpcap-1.0b3-javadoc/index.html

Cheers,
mark...

> -----Original Message-----
> From: Gianluca Varenni [mailto:gianluca.varenni at cacetech.com] 
> Sent: Thursday, August 09, 2007 4:50 PM
> To: voytechs at yahoo.com; winpcap-bugs at winpcap.org
> Subject: Re: [Winpcap-bugs] RE: Crash in pcap_open when using 
> incorrect flag
> 
> Can you please send me a small application based on your java 
> wrapper that exploits this behavior?
> 
> Thanks
> GV
> 
> ----- Original Message -----
> From: "Mark Bednarczyk" <voytechs at yahoo.com>
> To: "'Gianluca Varenni'" <gianluca.varenni at cacetech.com>; 
> <winpcap-bugs at winpcap.org>
> Sent: Thursday, August 09, 2007 12:50 PM
> Subject: RE: [Winpcap-bugs] RE: Crash in pcap_open when using 
> incorrect flag
> 
> 
> >I still get a crash with the patched library when I set flag 
> values 8 
> >or 16  and the device name is invalid in the source string.
> >
> > Cheers,
> > mark...
> >
> >
> > _______________________________________________
> > Winpcap-bugs mailing list
> > Winpcap-bugs at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-bugs
> 
-------------- next part --------------
#include <iostream>
using namespace std;

#include <pcap.h>
#include <Win32-Extensions.h>

int main() {
	
	char errbuf[1024];
	char source[1024];
	strcpy(source, "rpcap://\\Device\\PF_{BC81C4FC-242F-4F1C-9DAD-EA9523CC992D}");
	char device[1024];
	strcpy(device, "\\Device\\NPF_{04BD71F0-BAD6-4C51-96A4-B05562FAD4F9}");
	
	cout << "source=" << source << "\n";
	
	int snap = 64 * 1024;
	int flags = 8;
	int timeout = 1000;
	pcap_rmtauth *auth = NULL;
	
	cout << "BEFORE\n";
//	pcap_t *p = pcap_open_live(device, snap, flags, timeout, errbuf);
	pcap_t *p = pcap_open(source, snap, flags, timeout, auth, errbuf);
	cout << "AFTER\n";
	
	if(p != NULL) {
		pcap_close(p);
	}
	cout << "CLOSE\n";

	return 0;
}

More information about the Winpcap-bugs mailing list