EtherLeak: Ethernet Frame Padding Information ... - Leet Upload
EtherLeak: Ethernet Frame Padding Information ... - Leet Upload
EtherLeak: Ethernet Frame Padding Information ... - Leet Upload
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
8<br />
02 write_packet(ioaddr, length, skb->data, dev->if_port);<br />
}<br />
lp->pac_cnt_in_tx_buf++;<br />
if (lp->tx_unit_busy == 0) {<br />
trigger_send(ioaddr, length);<br />
lp->saved_tx_size = 0; /* Redundant */<br />
lp->re_tx = 0;<br />
lp->tx_unit_busy = 1;<br />
} else<br />
lp->saved_tx_size = length;<br />
/* Re-enable the LPT interrupts. */<br />
write_reg(ioaddr, IMR, ISR_RxOK | ISR_TxErr | ISR_TxOK);<br />
write_reg_high(ioaddr, IMR, ISRh_RxErr);<br />
dev->trans_start = jiffies;<br />
dev_kfree_skb (skb);<br />
return 0;<br />
The skb structure contains a pointer to the frame construction buffer at skb->data and<br />
the size of the frame within that buffer at skb->len. The code at line 01 uses a C<br />
language construct to initialize length to the greater of the two size values: ETH_ZLEN or<br />
skb->len. Therefore, if the length of the frame is less than the <strong>Ethernet</strong> minimum<br />
(ETH_ZLEN) it will be rounded up to that minimum. The value of length is then used<br />
when copying the frame out from the skb->data buffer to the hardware device (line 02).<br />
The contents of the pad bytes is heavily dependent on system load. Due to the large<br />
address space of kernel memory and small number of pad bytes it is extremely unlikely<br />
that sensitive information will be leaked. However the origin of these pad bytes makes<br />
any such information potentially devastating.<br />
3.2.2 <strong>Frame</strong> Capture<br />
The following packet capture demonstrates how the contents of the pad bytes change as<br />
different portions of kernel memory are used for the construction of ICMP echo reply<br />
packets.<br />
14:18:48.146095 10.50.1.60 > 10.50.1.53: icmp: echo request (DF) (ttl<br />
64, id 0, len 29)<br />
4500 001d 0000 4000 4001 240c 0a32 013c<br />
0a32 0135 0800 83f9 5206 2200 00<br />
14:18:48.146393 10.50.1.53 > 10.50.1.60: icmp: echo reply (ttl 255,<br />
id 3747, len 29)<br />
4500 001d 0ea3 0000 ff01 9668 0a32 0135<br />
0a32 013c 0000 8bf9 5206 2200 0059 0100<br />
6c02 0000 c006 0000 0600 0000 0010<br />
14:18:49.146095 10.50.1.60 > 10.50.1.53: icmp: echo request (DF) (ttl<br />
64, id 0, len 29)<br />
4500 001d 0000 4000 4001 240c 0a32 013c<br />
0a32 0135 0800 82f9 5206 2300 00<br />
14:18:49.146387 10.50.1.53 > 10.50.1.60: icmp: echo reply (ttl 255,<br />
id 3749, len 29)<br />
4500 001d 0ea5 0000 ff01 9666 0a32 0135<br />
0a32 013c 0000 8af9 5206 2300 0000 4003<br />
2300 4003 f101 1200 ed01 feff 0000<br />
<strong>EtherLeak</strong>: <strong>Ethernet</strong> frame padding information leakage<br />
Copyright © 2003, @stake Inc. All Rights Reserved.