libnl segmentation fault
Borja Ruiz-Castro
bruiz at alienvault.com
Sat Apr 21 12:04:01 EDT 2012
Hi!
Yep, you right! I'm looking at lorcon source code!
Cheers!
Borja.
On 21 April 2012 17:18, Thomas Graf <tgraf at infradead.org> wrote:
> On Sat, Apr 21, 2012 at 04:57:44PM +0200, Borja Ruiz-Castro wrote:
> > Hi!
> >
> > I think a just found a bug using lorcon + linbl (segmentation fault)
> >
> > The problem is *genl_unregister():*
> >
> >
> > (gdb) disass 0x00007ffff77afb8d
> > Dump of assembler code for function genl_unregister:
> > => 0x00007ffff77afb80 <+0>: push %rbx
> > 0x00007ffff77afb81 <+1>: mov %rdi,%rbx
> > 0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0
> > <nl_cache_mngt_unregister at plt>
> > 0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
> > * 0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx*
> > 0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
> > 0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
> > 0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
> > 0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
> > 0x00007ffff77afba0 <+32>: pop %rbx
> > 0x00007ffff77afba1 <+33>: retq
> > End of assembler dump.
> >
> >
> > A segmentation fault occurs when trying to copy %rdx into (%rax)+0x28,
> > because the content's of %eax is 0x00!
>
> Looks like NULL is passed to genl_unregister() which would be a
> bug in the application.
>
--
Borja Ruiz-Castro
Senior Security Consultant
QA testing engineer
*AlienVault Europe* C/Cronos 63, Planta 2a, Oficina 6
CP: 28037 Madrid, Spain Tlf +34 91 515-1344
Fax +34 91 413-5968
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/libnl/attachments/20120421/39dceebe/attachment.html>
More information about the libnl
mailing list