Parsing bug of the week
February 28, 2013  

You don’t see this too often: a Linux kernel vulnerability with exploits in the wild. Not that Linux has great security—at this point Microsoft clearly has a better culture and process in place. But in contrast with Microsoft, Linux on the desktop has “security” by obscurity. And that’s a good thing.

Here the bug is in Netlink, a standard for interprocess communication in Linux. To use Netlink, the sending process writes a structured packet to a socket. On the other end, the receiving process reads the packet and destructures it. The bug occurs in the destructuring, as you can see from this patch. Essentially it is a missing bounds check that can lead to a buffer overflow.

Packet destructuring is of course a kind of parsing, and one that is particularly susceptible to bugs. To get an idea how prevalent they are, just do a search for bugs in Wireshark (formerly Ethereal) “dissectors.”

Packet parsers are usually written by hand, perhaps because packets usually have length fields, which are context sensitive, and, hence, not well supported by tools like yacc. You’d need a dependent parser like Yakker or a special tool like NPG to handle most packet formats. The upside, of course, is that parser generators can insert proper bounds checks for all of the parsers they generate.