Builds using Autotools or CMake generate config.h, thus remove the
'#ifdef HAVE_CONFIG_H'/'#endif'.
Remove also the 'add_definitions(-DHAVE_CONFIG_H)' in CMakeLists.txt.
This both saves the buffer for freeing later and saves the packet
pointer and snapend to be restored when packet processing is complete,
even if an exception is thrown with longjmp.
This means that the hex/ASCII printing in pretty_print_packet()
processes the packet data as captured or read from the savefile, rather
than as modified by the PPP printer, so that the bounds checking is
correct.
That fixes CVE-2024-2397, which was caused by an exception being thrown
by the hex/ASCII printer (which should only happen if those routines are
called by a packet printer, not if they're called for the -X/-x/-A
flag), which jumps back to the setjmp() that surrounds the packet
printer. Hilarity^Winfinite looping ensues.
Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
routine, in case nd_pop_all_packet_info() didn't restore it.
The last release of BSD/OS was more than 20 years ago, so remove all
bits specific to building tcpdump on it, mainly ppp_bsdos_if_print(),
which has been a no-op on platforms other than BSD/OS. Restoring the
function would not be practicable because in addition to the generic bit
rot it uses SLC_DIR, SLC_LLHL, SLC_BPFHDRLEN, SLC_CHL and struct
ppp_header, none of which appear in FreeBSD or illumos or Linux or
NetBSD or OpenBSD. This is why protocol decoders should not depend on
OS-specific headers.
See also commit 4729260.
The lengths will be printed at the beginning of the line or after the
packet number, if any.
'caplen' is the captured length.
'len' is the original (on wire) length.
Examples
1) With -#n
1 caplen 80 len 98 14:41:53.503612 IP 192.168.1.11.43966 > [...]
2) With -n
caplen 80 len 98 14:43:38.185603 IP 192.168.1.11.43966 > [...]
Add a test file with one packet not truncated, the other truncated.
[skip ci]
As Guy Harris points out in bug report GH #1022, the function has been a
busy no-op since commit e6c39e6 in 2010. While at it, fixup the Python
code to work on Python 3:
for i in range(len(crc_table)/8):
TypeError: 'float' object cannot be interpreted as an integer
Have nd_push_buffer() take a snapshot length, not a snapshot end, as
its last argument.
Replace nd_push_snapend() and nd_change_snapend() with nd_push_snaplen()
and nd_change_snaplen(), both of which take a pointer into the packet
buffer and snapshot length relative to that pointer as arguments. Have
those routines check the snapshot length to make sure it's not bigger
than the number of bytes in the packet past the pointer, and silently
ignore the requst if it is.
Using a length rather than a pointer avoids the possibility of the
calculation of the snapshot end overflowing and resulting in a snapshot
end *before* the point in the buffer.
Add a test for this, with a capture file containing an IPv6 packet with
an extremely large "jumbo" packet size.
Revert the "Make sure we don't set the snapend before the beginning of
the packet." changes, as they no longer apply with this change (which
also makes sure we don't set the snapend before the beginning of the
packet).
If a caller attempts to set it after the current snapend, just silently
ignore the attempt.
If they try to set it before the beginning of the packet, report it as a
bug and quit dissection. Add a new setjmp() return value meaning "bug"
rather than "truncated packet", add an "nd_bug_longjmp()" routine for
reporting bugs where we should quit dissecting, and use that in this
case.
Don't pad the pflog header with BPF_WORDALIGN(); round up to a multiple
of 4, instead, as that's what all but FreeBSD do, and FreeBSD used to do
that and should go back to doing so (kern/261566).
Don't rely on the OS's pflog include files to define direction types,
reason types, action types, or the layout of the header; instead, define
them ourselves in a header of our own, with #ifs to select the ones that
are only on some platforms. That way, it'll handle some fields and
field values (the ones common to all OSes with pflog) on all OSes, even
ones without pflog.
That also expands the set of direction, reason, and action codes to what
various *BSDs and Darwin support.
Also, handle all the different AF_INET6 values in various *BSDs and
Darwin.
It prints now, by default, also the static functions names.
To configure the printing of only the global functions names, as before:
$ make instrument_global
To go back to print all the functions names:
$ make instrument_all
In case of truncation, the indentation level is reset to its previous
level in pretty_print_packet().
[skip ci]
This should help some debugging processes.
Usage:
./configure --enable-instrument-functions
Generate instrumentation calls for entry and exit to functions.
Just after function entry and just before function exit, these
profiling functions are called and print the function names with
indentation and call level.
To instument a static function, remove temporarily the static specifier.
In case of truncation, the indentation level is reset currently to 1 in
pretty_print_packet(), main is level 0.
New option `--print-sampling=NTH` will parse and print every NTH packet,
with all other packets producing no output. This option enables
`--print` and `-S` flags.
Print sampling is useful for real-time inspection of an interface with
a high packet rate, or initial inspection of large capture files.
With these changes tcpdump passes "CFLAGS=-Werror make" on OpenBSD 6.8
AMD64, so build.sh has one less reason to fail.
gcc (GCC) 4.2.1 20070719
(also from OpenBSD clang version 10.0.1 with different wording)
./addrtoname.c: In function 'etheraddr_string':
./addrtoname.c:605: warning: passing argument 2 of 'ether_ntohost'
discards qualifiers from pointer target type
./addrtoname.c: In function 'init_etherarray':
./addrtoname.c:980: warning: passing argument 2 of 'ether_ntohost'
discards qualifiers from pointer target type
./print.c: In function 'pretty_print_packet':
./print.c:389: warning: passing argument 2 of 'ts_print' from
incompatible pointer type
./bpf_dump.c:34: warning: no previous prototype for 'bpf_dump'
Also rename 'ndo_truncated' to 'ndo_early_end'.
The current case (truncated packet) uses ND_TRUNCATED value.
Prepare to add other cases when the current packet cannot be processed
any more ('Invalid' cases, etc.).
All the link-layer dissectors are now void functions.
All the functions were moved to the void_printers[] array.
Rename this array to printers[].
Remove the uint_printers[] array, now empty.
Remove the 'ndo_void_printer' flag field, now useless, from
netdissect_options.
Remove other transitional code.
DLT_LANE8023 was never defined in libpcap.
It was, perhaps, defined in some SuSE libpcap update, but no evidence
of this.
It is not defined in OpenSuSE Leap 15.2 (information from Guy).
brcm_tag_if_print()
brcm_tag_prepend_if_print()
dsa_if_print()
edsa_if_print()
ether_if_print()
netanalyzer_if_print()
netanalyzer_transparent_if_print()
Update ether_print(), ether_common_print() and ether_switch_tag_print()
to void functions.
Add a flag parameter to ether_print(), ether_common_print() and
ether_switch_tag_print() to increment the link-layer header length field
of the netdissect_options when needed.
The calls use TRUE when the return value of the funtions was used.
The calls with FALSE avoid increments when the calls are nested.
Moreover:
Remove trailing "_if" from some protocol names.
Moreover:
Merge ppi_if_print() and ppi_print() in one function.
Remove two useless ND_TCHECK_ tests (GET_ used).
Remove a no longer used 'trunc' label.
Moreover:
Remove trailing "_if" from protocol name.
Remove a useless ND_TCHECK_4 test (GET_HE_U_4 used).
Remove a no longer used 'trunc' label.
Use uint32_t type for family in null_hdr_print().
