Development/Canary

Canary and Guard Pages in Wireshark

In order to help detect memory over- and under-flows in (se_ and ep_) (emem is dead!) (ememify) allocated memory, Wireshark now places canary values (e.g., a gap or no-mans-land) after each allocation. When the memory is later freed, the canary values are checked to make sure that they haven't been changed. If they have, then someone has written past the memory that they allocated. See also stackguard.

In addition, guard pages are placed before and after each block of memory. These are entire pages of memory that are mprotect()'d against writes so that if the page is written to (because someone went way beyond the end of their allocated memory), Wireshark will get a memory access violation (and hopefully dump core for post-mortem analysis).

With the guard pages in place, memory allocations now look like:

  +----+--------+---+--------+---+--------+---+-------+----+
  | gp | alloc1 | c | alloc2 | c | alloc3 | c |  ...  | gp |
  +----+--------+---+--------+---+--------+---+-------+----+

("gp" = guard page, "allocn" = allocated memory, "c" = canary).

What should I do if Wireshark detects such a canary violation?

If Wireshark exits stating "Per-packet memory corrupted." and exits (possibly leaving a core file (on *NIX, anyway) that points to epan/emem.c around line 600), then Wireshark detected a canary violation. If you're not a developer, you're not compiling Wireshark yourself, or you don't have the time to debug the issue yourself, please open a bug and attach a (preferrably small) capture file that exhibits the problem.

If you can debug the issue yourself, the best thing to do (again, on Linux, anyway) is to:

Intense Canary Checking

Intense Canary Checking is a feature in emem that checks often for canary corruption to pinpoint where it was and crash earlier. Hopefully while the corruptor is still in the stack. To enable it:

If corruption is found Wireshark aborts printing the prior and the failing check locations. Hopefully when this checks fail it stops running while the corruptor is still in the stack.

To place checks in the code just add  EP_CHECK_CANARY("my location: %s",location_string);  where adequate.

Enjoy Hunting!


Imported from https://wiki.wireshark.org/Development/Canary on 2020-08-11 23:12:41 UTC