diff options
author | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2018-09-22 16:20:43 +0200 |
---|---|---|
committer | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2018-09-22 16:25:59 +0200 |
commit | bbe15da782ef74dd29feea6e3ea0f2f7d47b4697 (patch) | |
tree | 1628a2d20e4204e278085d9bb9c742b930ad4432 /print-sl.c | |
parent | dcea6d0284176e8940ca7b92559403b4eab6b4bd (diff) | |
download | tcpdump-bbe15da782ef74dd29feea6e3ea0f2f7d47b4697.tar.gz |
SLIP: Add some bounds checks
This should fix GitHub issues #676 and #677.
Diffstat (limited to 'print-sl.c')
-rw-r--r-- | print-sl.c | 34 |
1 files changed, 24 insertions, 10 deletions
@@ -51,8 +51,8 @@ static u_int lastlen[2][256]; static u_int lastconn = 255; -static void sliplink_print(netdissect_options *, const u_char *, const struct ip *, u_int); -static void compressed_sl_print(netdissect_options *, const u_char *, const struct ip *, u_int, int); +static int sliplink_print(netdissect_options *, const u_char *, const struct ip *, u_int); +static int compressed_sl_print(netdissect_options *, const u_char *, const struct ip *, u_int, int); u_int sl_if_print(netdissect_options *ndo, @@ -74,7 +74,10 @@ sl_if_print(netdissect_options *ndo, ip = (const struct ip *)(p + SLIP_HDRLEN); if (ndo->ndo_eflag) - sliplink_print(ndo, p, ip, length); + if (sliplink_print(ndo, p, ip, length) == -1) { + nd_print_trunc(ndo); + return (caplen + SLIP_HDRLEN); + } if (caplen < 1) { nd_print_trunc(ndo); @@ -123,7 +126,7 @@ sl_bsdos_if_print(netdissect_options *ndo, return (SLIP_HDRLEN); } -static void +static int sliplink_print(netdissect_options *ndo, const u_char *p, const struct ip *ip, u_int length) @@ -154,7 +157,7 @@ sliplink_print(netdissect_options *ndo, for (i = SLX_CHDR; i < SLX_CHDR + CHDR_LEN - 1; ++i) ND_PRINT("%02x.", EXTRACT_U_1(p + i)); ND_PRINT("%02x: ", EXTRACT_U_1(p + SLX_CHDR + CHDR_LEN - 1)); - return; + return 0; } switch (EXTRACT_U_1(p + SLX_CHDR) & 0xf0) { @@ -172,9 +175,11 @@ sliplink_print(netdissect_options *ndo, ND_PRINT("utcp %u: ", lastconn); if (dir == -1) { /* Direction is bogus, don't use it */ - return; + return 0; } + ND_TCHECK_SIZE(ip); hlen = IP_HL(ip); + ND_TCHECK_SIZE((const struct tcphdr *)&((const int *)ip)[hlen]); hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]); lastlen[dir][lastconn] = length - (hlen << 2); break; @@ -182,15 +187,19 @@ sliplink_print(netdissect_options *ndo, default: if (dir == -1) { /* Direction is bogus, don't use it */ - return; + return 0; } if (EXTRACT_U_1(p + SLX_CHDR) & TYPE_COMPRESSED_TCP) { - compressed_sl_print(ndo, p + SLX_CHDR, ip, - length, dir); + if (compressed_sl_print(ndo, p + SLX_CHDR, ip, + length, dir) == -1) + goto trunc; ND_PRINT(": "); } else ND_PRINT("slip-%u!: ", EXTRACT_U_1(p + SLX_CHDR)); } + return 0; +trunc: + return -1; } static const u_char * @@ -226,7 +235,7 @@ print_sl_winchange(netdissect_options *ndo, return (cp); } -static void +static int compressed_sl_print(netdissect_options *ndo, const u_char *chdr, const struct ip *ip, u_int length, int dir) @@ -274,8 +283,13 @@ compressed_sl_print(netdissect_options *ndo, * 'cp - chdr' is the length of the compressed header. * 'length - hlen' is the amount of data in the packet. */ + ND_TCHECK_SIZE(ip); hlen = IP_HL(ip); + ND_TCHECK_SIZE((const struct tcphdr *)&((const int32_t *)ip)[hlen]); hlen += TH_OFF((const struct tcphdr *)&((const int32_t *)ip)[hlen]); lastlen[dir][lastconn] = length - (hlen << 2); ND_PRINT(" %u (%ld)", lastlen[dir][lastconn], (long)(cp - chdr)); + return 0; +trunc: + return -1; } |