Ticket #4770: kdl.cpp

/*
    kdl.cpp
    (c)2009 Caitlin Shaw, GPL (as if anyone actually wants this)


    * this program causes a "Page fault in kernel space" under Haiku r33411,
      crashing the system via KDL. it contacts Google in order to get a remote peer
      which will send data to it, thus it requires internet access to function.

    * the crash occurs because the recv() function apparently both runs from within
      kernel space and does no checking on the validity of it's buffer, and so passing
      an invalid pointer as the buffer to recv() will bring down the whole system.

    * have not checked but it seems it might possibly be a problem for priveledge
      escalation? if the memory is being clobbered with ring 0 authority.

    * this is a distilled version of a bug discovered in one of my real programs.

*/

#include <stdio.h>
#include <netdb.h>
#include <memory.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

unsigned int net_dnslookup(const char *host);
uint connect_tcp(uint ip, ushort port, int timeout_ms);
bool net_setnonblock(uint sock, bool enable);
int sendstr(short sock, const char *str);
char *decimalip(unsigned int ip);


int main(int argc, char **argv)
{
uint connect_ip;
uint sock;

    printf("welcome to kdl_computer\n");
    printf("DNS lookup in progress...\n");

    connect_ip = net_dnslookup("www.google.com");

    printf("connecting to %s:80...\n", decimalip(connect_ip), 80);
    sock = connect_tcp(connect_ip, 80, 5000);
    if (!sock)
    {
        fprintf(stderr, "failed to connect to host");
        return 1;
    }

    printf("connected, sending request...\n");

    sendstr(sock, "GET / HTTP/1.1\r\n");
    sendstr(sock, "\r\n");

    printf("\n************************************\n");
    printf("* Prepare to die...                *\n");
    printf("************************************\n");

    char *buffer = (char *)42;
    int size = recv(sock, buffer, sizeof(buffer), 0);


    printf("\nif you're seeing this, your system has unfortunately failed to KDL.\n");
    printf("sorry buddy, looks like you're out of luck.\n");
    printf("received size = %d\n", size);

    return 0;
}


/*
void c------------------------------() {}
*/

// convert a hostname to an IP address via DNS.
unsigned int net_dnslookup(const char *host)
{
struct hostent *hosten;
unsigned long ip;

    printf("Resolving '%s' via DNS...\n", host);

    // attempt to resolve the hostname via DNS
    hosten = gethostbyname(host);
    if (hosten == NULL)
    {
        fprintf(stderr, "dnslookup: failed to resolve host: '%s'.", host);
        return 0;
    }
    else
    {
        memcpy((char*)&ip, hosten->h_addr_list[0], 4);
        return ntohl(ip);
    }
}

// attempts to connect to ip:port, and returns the new socket number if successful,
// else returns 0.
uint connect_tcp(uint ip, ushort port, int timeout_ms)
{
int conn_socket, result;
bool connected;
bool use_timeout;
struct sockaddr_in sain;

    if (!(conn_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)))
    {
        fprintf(stderr, "connect_tcp: Failed to create socket.\n");
        return 1;
    }

    net_setnonblock(conn_socket, true);

    sain.sin_addr.s_addr = htonl(ip);
    sain.sin_port = htons(port);
    sain.sin_family = AF_INET;

    #define TICK_BASE       10
    connected = false;
    use_timeout = timeout_ms != 0;

    for(;;)
    {
        result = connect(conn_socket, (struct sockaddr *)&sain, sizeof(struct sockaddr_in));

        if (errno == EISCONN || result != -1)
        {
            connected = true;
            break;
        }

        if (errno == EINTR) break;

        if (use_timeout)
        {
            if (timeout_ms >= 0)
            {
                usleep(TICK_BASE * 1000);
                timeout_ms -= TICK_BASE;
            }
            else break;
        }
    }

    net_setnonblock(conn_socket, false);

    if (connected)
    {
        return conn_socket;
    }

    close(conn_socket);
    return 0;
}


// set a socket to blocking or non-blocking mode.
bool net_setnonblock(uint sock, bool enable)
{
long fvalue;

    if ((fvalue = fcntl(sock, F_GETFL, NULL)) < 0)
    {
        fprintf(stderr, "net_setnonblock: Error fcntl(..., F_GETFL) (%s)", strerror(errno));
        return 1;
    }

    if (enable)
        fvalue |= O_NONBLOCK;
    else
        fvalue &= ~O_NONBLOCK;

    if (fcntl(sock, F_SETFL, fvalue) < 0)
    {
        fprintf(stderr, "net_setnonblock: Error fcntl(..., F_SETFL) (%s)", strerror(errno));
        return 1;
    }

    return 0;
}

// transmit a string out a socket.
int sendstr(short sock, const char *str)
{
    return send(sock, str, strlen(str), 0);
}

// convert a ipv4 address into display representation.
char *decimalip(unsigned int ip)
{
static char buffer[800];
    sprintf(buffer, "%d.%d.%d.%d",
                (ip>>24)&255, (ip>>16)&255, (ip>>8)&255, ip&255);
    return buffer;
}