Security #8143
openMisalligned access to ip header data.
Description
During fuzz session with enabled undefined sanitizer, fuzz_sigpcap discovered misaligned access to ip header data.
The core reason is that access to ip header data is determined by protocol and not by memory access rules.
For example most of findings include ethernet traffi which has this line of code:
DecodeNetworkLayer(tv, dtv, SCNtohs(ethh->eth_type), p, pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN);
Where ETHERNET_HEADER_LEN is 14. Since pkt is already aligned and 14 doesn't satisfy fundamental alignment the result is misaligned address.
The other discovered example is DecodePPP which may add +2 to already aligned pkt.
The problem is that on some platform misaligned access may lead to DoS attack and on those where it doesn't it reduces performance.
If I'm right CVSS v3 vector is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
And base score is 5.9.
The most simple solution is to use memcpy which doesn't have these problems, but the right one is to rework whole access to that data, so it's not determined by protocol pointer offsets.
Files
Updated by Victor Julien about 10 hours ago
- Is duplicate of Bug #4736: ubsan: misaligned memory loads added
Updated by Victor Julien about 10 hours ago
All platforms we care about support unaligned access. There may be a small perf penalty but so would there be with memcpy. The claim of DoS is not backup up by any data.
Updated by Sergey Zhidkih about 8 hours ago
Victor Julien wrote in #note-2:
All platforms we care about support unaligned access. There may be a small perf penalty but so would there be with memcpy. The claim of DoS is not backup up by any data.
Can you list all mainly supported platforms?
Or I can simply use list from here:
https://github.com/OISF/suricata/blob/83d8b1d2f838086b9f4cd4aca6bb9aa0e93835ab/doc/userguide/support-status.rst#L18