dsniff/dsniff-2.4-libnet_name2addr4.patch

141 lines
4.2 KiB
Diff
Raw Normal View History

Patch by Robert Scheck <robert@fedoraproject.org> for dsniff >= 2.4b1 which fixes
possible segmentation faults of arpspoof, sshmitm, webmitm and webspy if any non-
resolving hostname is passed. Issue was introduced by dsniff-2.4-libnet_11.patch;
libnet_name_resolve() was replaced by libnet_name2addr4() while there must be the
structure libnet_t passed additionally. And if that structure is not initialized
using libnet_init() and the passed name can't be resolved (like "192.168.2."), it
causes a snprintf() to NULL and thus the segmentation fault. Note that macof isn't
affected as no resolving was involved here ever. Please also have a look to Red Hat
Bugzilla ID #1009879 for further information.
--- dsniff-2.4/sshmitm.c 2013-12-20 21:19:58.000000000 +0100
+++ dsniff-2.4/sshmitm.c.libnet_name2addr4 2013-12-20 21:29:44.000000000 +0100
@@ -45,6 +45,8 @@
struct sockaddr_in csin, ssin;
int sig_pipe[2];
+static libnet_t *l;
+
static void
usage(void)
{
@@ -364,6 +366,7 @@
u_long ip;
u_short lport, rport;
int c;
+ char libnet_ebuf[LIBNET_ERRBUF_SIZE];
lport = rport = 22;
@@ -390,12 +393,15 @@
if (argc < 1)
usage();
- if ((ip = libnet_name2addr4(NULL, argv[0], LIBNET_RESOLVE)) == -1)
- usage();
-
if (argc == 2 && (rport = atoi(argv[1])) == 0)
usage();
+ if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL)
+ errx(1, "%s", libnet_ebuf);
+
+ if ((ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
+ usage();
+
record_init(NULL);
mitm_init(lport, ip, rport);
--- dsniff-2.4/webmitm.c 2013-12-20 21:19:58.000000000 +0100
+++ dsniff-2.4/webmitm.c.libnet_name2addr4 2013-12-20 21:40:09.000000000 +0100
@@ -47,6 +47,8 @@
int do_ssl, sig_pipe[2];
in_addr_t static_host = 0;
+static libnet_t *l;
+
extern int decode_http(char *, int, char *, int);
static void
@@ -242,7 +244,7 @@
word = buf_tok(&msg, "/", 1);
vhost = buf_strdup(word);
}
- ssin.sin_addr.s_addr = libnet_name2addr4(NULL, vhost, 1);
+ ssin.sin_addr.s_addr = libnet_name2addr4(l, vhost, LIBNET_RESOLVE);
free(vhost);
if (ssin.sin_addr.s_addr == ntohl(INADDR_LOOPBACK) ||
@@ -496,6 +498,7 @@
extern char *optarg;
extern int optind;
int c;
+ char libnet_ebuf[LIBNET_ERRBUF_SIZE];
while ((c = getopt(argc, argv, "dh?V")) != -1) {
switch (c) {
@@ -509,8 +512,11 @@
argc -= optind;
argv += optind;
+ if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL)
+ errx(1, "%s", libnet_ebuf);
+
if (argc == 1) {
- if ((static_host = libnet_name2addr4(NULL, argv[0], 1)) == -1)
+ if ((static_host = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
usage();
}
else if (argc != 0) usage();
--- dsniff-2.4/webspy.c 2013-12-20 21:19:58.000000000 +0100
+++ dsniff-2.4/webspy.c.libnet_name2addr4 2013-12-20 21:45:57.000000000 +0100
@@ -33,6 +33,7 @@
extern int mozilla_remote_commands (Display *, Window, char **);
char *expected_mozilla_version = "4.7";
char *progname = "webspy";
+static libnet_t *l;
Display *dpy;
char cmd[2048], *cmdtab[2];
@@ -183,6 +184,7 @@
extern char *optarg;
extern int optind;
int c;
+ char libnet_ebuf[LIBNET_ERRBUF_SIZE];
while ((c = getopt(argc, argv, "i:p:h?V")) != -1) {
switch (c) {
@@ -205,7 +207,10 @@
cmdtab[0] = cmd;
cmdtab[1] = NULL;
- if ((host = libnet_name2addr4(NULL, argv[0], 1)) == -1)
+ if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL)
+ errx(1, "%s", libnet_ebuf);
+
+ if ((host = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
errx(1, "unknown host");
if ((dpy = XOpenDisplay(NULL)) == NULL)
--- dsniff-2.4/arpspoof.c 2013-12-20 22:00:53.000000000 +0100
+++ dsniff-2.4/arpspoof.c.libnet_name2addr4 2013-12-20 22:00:38.000000000 +0100
@@ -207,6 +207,9 @@
/* allocate enough memory for target list */
targets = calloc( argc+1, sizeof(struct host) );
+ if ((l = libnet_init(LIBNET_LINK, NULL, libnet_ebuf)) == NULL)
+ errx(1, "%s", libnet_ebuf);
+
while ((c = getopt(argc, argv, "ri:t:c:h?V")) != -1) {
switch (c) {
case 'i':
@@ -263,6 +266,8 @@
if ((spoof.ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
usage();
+ libnet_destroy(l);
+
if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL)
errx(1, "%s", pcap_ebuf);