azat/libevent-317-net-overread-in-name_parse.gdb

## libevent-317-net-overread-in-name_parse.gdb
set $PROT_NONE=0x0
set $PROT_READ=0x1
set $PROT_WRITE=0x2
set $MAP_ANONYMOUS=0x20
set $MAP_SHARED=0x01
set $MAP_FIXED=0x10
set $MAP_32BIT=0x40

start

set $length=202
# overread
set $length=2
# allocate with mmap to have a seg fault on page boundary
set $l=(1<<20)*2
p mmap(0, $l, $PROT_READ|$PROT_WRITE, $MAP_ANONYMOUS|$MAP_SHARED|$MAP_32BIT, -1, 0)
set $packet=(char *)$1+$l-$length
# hack the packet
set $packet[0]=63
set $packet[1]='/'

p malloc(sizeof(int))
set $idx=(int *)$2
set $idx[0]=0
set $name_out_len=202

p malloc($name_out_len)
set $name_out=$3

# have WRITE only mapping to fail on read
set $end=$1+$l
p (void *)mmap($end, 1<<12, $PROT_NONE, $MAP_ANONYMOUS|$MAP_SHARED|$MAP_FIXED|$MAP_32BIT, -1, 0)
set $m=$4

p name_parse($packet, $length, $idx, $name_out, $name_out_len)
x/2s (char *)$name_out
	set $PROT_NONE=0x0
	set $PROT_READ=0x1
	set $PROT_WRITE=0x2
	set $MAP_ANONYMOUS=0x20
	set $MAP_SHARED=0x01
	set $MAP_FIXED=0x10
	set $MAP_32BIT=0x40

	start

	set $length=202
	# overread
	set $length=2
	# allocate with mmap to have a seg fault on page boundary
	set $l=(1<<20)*2
	p mmap(0, $l, $PROT_READ\|$PROT_WRITE, $MAP_ANONYMOUS\|$MAP_SHARED\|$MAP_32BIT, -1, 0)
	set $packet=(char *)$1+$l-$length
	# hack the packet
	set $packet[0]=63
	set $packet[1]='/'

	p malloc(sizeof(int))
	set $idx=(int *)$2
	set $idx[0]=0
	set $name_out_len=202

	p malloc($name_out_len)
	set $name_out=$3

	# have WRITE only mapping to fail on read
	set $end=$1+$l
	p (void *)mmap($end, 1<<12, $PROT_NONE, $MAP_ANONYMOUS\|$MAP_SHARED\|$MAP_FIXED\|$MAP_32BIT, -1, 0)
	set $m=$4

	p name_parse($packet, $length, $idx, $name_out, $name_out_len)
	x/2s (char *)$name_out