Do bounds checking and length checking.

Don't run past the end of the captured data, and don't run past the end of the packet (i.e., don't make the length variable go negative).
author: Guy Harris <guy@alum.mit.edu> 2014-11-11 15:51:54 -0800
committer: Guy Harris <guy@alum.mit.edu> 2014-11-18 12:29:56 -0800
commit: 79f375dbf422654656a7ab1e0ff508cb3e9955b3 (patch)
tree: a01ba013ec1e951d3e172a2767b6860cf1c39e72
parent: e49c9b9fc43e93ca402ec7517aa55a27252eca92 (diff)
download: tcpdump-79f375dbf422654656a7ab1e0ff508cb3e9955b3.tar.gz
1 files changed, 151 insertions, 119 deletions
diff --git a/print-geonet.c b/print-geonet.c
index d902066e..edfb7f2d 100644
--- a/print-geonet.c
+++ b/print-geonet.c
@@ -56,16 +56,12 @@ static const struct tok msg_type_values[] = {
 
 static void
 print_btp_body(netdissect_options *ndo,
-               const u_char *bp, u_int length)
+               const u_char *bp)
 {
 	int version;
 	int msg_type;
 	const char *msg_type_str;
 
-	if (length <= 2) {
-		return;
-	}
-
 	/* Assuming ItsDpuHeader */
 	version = bp[0];
 	msg_type = bp[1];
@@ -83,7 +79,7 @@ print_btp(netdissect_options *ndo,
 	ND_PRINT((ndo, "; BTP Dst:%u Src:%u", dest, src));
 }
 
-static void
+static int
 print_long_pos_vector(netdissect_options *ndo,
                       const u_char *bp)
 {
@@ -91,10 +87,13 @@ print_long_pos_vector(netdissect_options *ndo,
 
 	ND_PRINT((ndo, "GN_ADDR:%s ", linkaddr_string (ndo, bp, 0, GEONET_ADDR_LEN)));
 
+	if (!ND_TTEST2(*(bp+12), 8))
+		return (-1);
 	lat = EXTRACT_32BITS(bp+12);
 	ND_PRINT((ndo, "lat:%d ", lat));
 	lon = EXTRACT_32BITS(bp+16);
 	ND_PRINT((ndo, "lon:%d", lon));
+	return (0);
 }
 
 
@@ -105,137 +104,170 @@ print_long_pos_vector(netdissect_options *ndo,
 void
 geonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length)
 {
+	int version;
+	int next_hdr;
+	int hdr_type;
+	int hdr_subtype;
+	uint16_t payload_length;
+	int hop_limit;
+	const char *next_hdr_txt = "Unknown";
+	const char *hdr_type_txt = "Unknown";
+	int hdr_size = -1;
+
 	ND_PRINT((ndo, "GeoNet src:%s; ", etheraddr_string(ndo, eth+6)));
 
-	if (length >= 36) {
-		/* Process Common Header */
-		int version = bp[0] >> 4;
-		int next_hdr = bp[0] & 0x0f;
-		int hdr_type = bp[1] >> 4;
-		int hdr_subtype = bp[1] & 0x0f;
-		uint16_t payload_length = EXTRACT_16BITS(bp+4);
-		int hop_limit = bp[7];
-		const char *next_hdr_txt = "Unknown";
-		const char *hdr_type_txt = "Unknown";
-		int hdr_size = -1;
+	/* Process Common Header */
+	if (length < 36)
+		goto malformed;
+		
+	ND_TCHECK2(*bp, 7);
+	version = bp[0] >> 4;
+	next_hdr = bp[0] & 0x0f;
+	hdr_type = bp[1] >> 4;
+	hdr_subtype = bp[1] & 0x0f;
+	payload_length = EXTRACT_16BITS(bp+4);
+	hop_limit = bp[7];
 
-		switch (next_hdr) {
-			case 0: next_hdr_txt = "Any"; break;
-			case 1: next_hdr_txt = "BTP-A"; break;
-			case 2: next_hdr_txt = "BTP-B"; break;
-			case 3: next_hdr_txt = "IPv6"; break;
-		}
+	switch (next_hdr) {
+		case 0: next_hdr_txt = "Any"; break;
+		case 1: next_hdr_txt = "BTP-A"; break;
+		case 2: next_hdr_txt = "BTP-B"; break;
+		case 3: next_hdr_txt = "IPv6"; break;
+	}
 
-		switch (hdr_type) {
-			case 0: hdr_type_txt = "Any"; break;
-			case 1: hdr_type_txt = "Beacon"; break;
-			case 2: hdr_type_txt = "GeoUnicast"; break;
-			case 3: switch (hdr_subtype) {
-					case 0: hdr_type_txt = "GeoAnycastCircle"; break;
-					case 1: hdr_type_txt = "GeoAnycastRect"; break;
-					case 2: hdr_type_txt = "GeoAnycastElipse"; break;
-				}
-				break;
-			case 4: switch (hdr_subtype) {
-					case 0: hdr_type_txt = "GeoBroadcastCircle"; break;
-					case 1: hdr_type_txt = "GeoBroadcastRect"; break;
-					case 2: hdr_type_txt = "GeoBroadcastElipse"; break;
-				}
-				break;
-			case 5: switch (hdr_subtype) {
-					case 0: hdr_type_txt = "TopoScopeBcast-SH"; break;
-					case 1: hdr_type_txt = "TopoScopeBcast-MH"; break;
-				}
-				break;
-			case 6: switch (hdr_subtype) {
-					case 0: hdr_type_txt = "LocService-Request"; break;
-					case 1: hdr_type_txt = "LocService-Reply"; break;
-				}
-				break;
-		}
+	switch (hdr_type) {
+		case 0: hdr_type_txt = "Any"; break;
+		case 1: hdr_type_txt = "Beacon"; break;
+		case 2: hdr_type_txt = "GeoUnicast"; break;
+		case 3: switch (hdr_subtype) {
+				case 0: hdr_type_txt = "GeoAnycastCircle"; break;
+				case 1: hdr_type_txt = "GeoAnycastRect"; break;
+				case 2: hdr_type_txt = "GeoAnycastElipse"; break;
+			}
+			break;
+		case 4: switch (hdr_subtype) {
+				case 0: hdr_type_txt = "GeoBroadcastCircle"; break;
+				case 1: hdr_type_txt = "GeoBroadcastRect"; break;
+				case 2: hdr_type_txt = "GeoBroadcastElipse"; break;
+			}
+			break;
+		case 5: switch (hdr_subtype) {
+				case 0: hdr_type_txt = "TopoScopeBcast-SH"; break;
+				case 1: hdr_type_txt = "TopoScopeBcast-MH"; break;
+			}
+			break;
+		case 6: switch (hdr_subtype) {
+				case 0: hdr_type_txt = "LocService-Request"; break;
+				case 1: hdr_type_txt = "LocService-Reply"; break;
+			}
+			break;
+	}
+
+	ND_PRINT((ndo, "v:%d ", version));
+	ND_PRINT((ndo, "NH:%d-%s ", next_hdr, next_hdr_txt));
+	ND_PRINT((ndo, "HT:%d-%d-%s ", hdr_type, hdr_subtype, hdr_type_txt));
+	ND_PRINT((ndo, "HopLim:%d ", hop_limit));
+	ND_PRINT((ndo, "Payload:%d ", payload_length));
+	if (print_long_pos_vector(ndo, bp + 8) == -1)
+		goto trunc;
 
-		ND_PRINT((ndo, "v:%d ", version));
-		ND_PRINT((ndo, "NH:%d-%s ", next_hdr, next_hdr_txt));
-		ND_PRINT((ndo, "HT:%d-%d-%s ", hdr_type, hdr_subtype, hdr_type_txt));
-		ND_PRINT((ndo, "HopLim:%d ", hop_limit));
-		ND_PRINT((ndo, "Payload:%d ", payload_length));
-		print_long_pos_vector(ndo, bp + 8);
+	/* Skip Common Header */
+	length -= 36;
+	bp += 36;
 
-		/* Skip Common Header */
-		length -= 36;
-		bp += 36;
+	/* Process Extended Headers */
+	switch (hdr_type) {
+		case 0: /* Any */
+			hdr_size = 0;
+			break;
+		case 1: /* Beacon */
+			hdr_size = 0;
+			break;
+		case 2: /* GeoUnicast */
+			break;
+		case 3: switch (hdr_subtype) {
+				case 0: /* GeoAnycastCircle */
+					break;
+				case 1: /* GeoAnycastRect */
+					break;
+				case 2: /* GeoAnycastElipse */
+					break;
+			}
+			break;
+		case 4: switch (hdr_subtype) {
+				case 0: /* GeoBroadcastCircle */
+					break;
+				case 1: /* GeoBroadcastRect */
+					break;
+				case 2: /* GeoBroadcastElipse */
+					break;
+			}
+			break;
+		case 5: switch (hdr_subtype) {
+				case 0: /* TopoScopeBcast-SH */
+					hdr_size = 0;
+					break;
+				case 1: /* TopoScopeBcast-MH */
+					hdr_size = 68 - 36;
+					break;
+			}
+			break;
+		case 6: switch (hdr_subtype) {
+				case 0: /* LocService-Request */
+					break;
+				case 1: /* LocService-Reply */
+					break;
+			}
+			break;
+	}
 
-		/* Process Extended Headers */
-		switch (hdr_type) {
+	/* Skip Extended headers */
+	if (hdr_size >= 0) {
+		if (length < (u_int)hdr_size)
+			goto malformed;
+		ND_TCHECK2(*bp, hdr_size);
+		length -= hdr_size;
+		bp += hdr_size;
+		switch (next_hdr) {
 			case 0: /* Any */
-				hdr_size = 0;
-				break;
-			case 1: /* Beacon */
-				hdr_size = 0;
-				break;
-			case 2: /* GeoUnicast */
 				break;
-			case 3: switch (hdr_subtype) {
-					case 0: /* GeoAnycastCircle */
-						break;
-					case 1: /* GeoAnycastRect */
-						break;
-					case 2: /* GeoAnycastElipse */
-						break;
+			case 1:
+			case 2: /* BTP A/B */
+				if (length < 4)
+					goto malformed;
+				ND_TCHECK2(*bp, 4);
+				print_btp(ndo, bp);
+				length -= 4;
+				bp += 4;
+				if (length >= 2) {
+					/*
+					 * XXX - did print_btp_body()
+					 * return if length < 2
+					 * because this is optional,
+					 * or was that just not
+					 * reporting genuine errors?
+					 */
+					ND_TCHECK2(*bp, 2);
+					print_btp_body(ndo, bp);
 				}
 				break;
-			case 4: switch (hdr_subtype) {
-					case 0: /* GeoBroadcastCircle */
-						break;
-					case 1: /* GeoBroadcastRect */
-						break;
-					case 2: /* GeoBroadcastElipse */
-						break;
-				}
-				break;
-			case 5: switch (hdr_subtype) {
-					case 0: /* TopoScopeBcast-SH */
-						hdr_size = 0;
-						break;
-					case 1: /* TopoScopeBcast-MH */
-						hdr_size = 68 - 36;
-						break;
-				}
-				break;
-			case 6: switch (hdr_subtype) {
-					case 0: /* LocService-Request */
-						break;
-					case 1: /* LocService-Reply */
-						break;
-				}
+			case 3: /* IPv6 */
 				break;
 		}
-
-		/* Skip Extended headers */
-		if (hdr_size >= 0) {
-			length -= hdr_size;
-			bp += hdr_size;
-			switch (next_hdr) {
-				case 0: /* Any */
-					break;
-				case 1:
-				case 2: /* BTP A/B */
-					print_btp(ndo, bp);
-					length -= 4;
-					bp += 4;
-					print_btp_body(ndo, bp, length);
-					break;
-				case 3: /* IPv6 */
-					break;
-			}
-		}
-	} else {
-		ND_PRINT((ndo, "Malformed (small) "));
 	}
 
 	/* Print user data part */
 	if (ndo->ndo_vflag)
 		ND_DEFAULTPRINT(bp, length);
+	return;
+
+malformed:
+	ND_PRINT((ndo, " Malformed (small) "));
+	/* XXX - print the remaining data as hex? */
+	return;
+
+trunc:
+	ND_PRINT((ndo, "[|geonet]"));
 }
author	Guy Harris <guy@alum.mit.edu>	2014-11-11 15:51:54 -0800
committer	Guy Harris <guy@alum.mit.edu>	2014-11-18 12:29:56 -0800
commit	79f375dbf422654656a7ab1e0ff508cb3e9955b3 (patch)
tree	a01ba013ec1e951d3e172a2767b6860cf1c39e72
parent	e49c9b9fc43e93ca402ec7517aa55a27252eca92 (diff)
download	tcpdump-79f375dbf422654656a7ab1e0ff508cb3e9955b3.tar.gz