Add a ND_BYTES_AVAILABLE_AFTER() macro to find the number of bytes
available in the captured data, starting at the byte pointed to by the
argument. It returns a u_int rather than a ptrdiff_t, so it'll be
32 bits on LP64 and LLP64 platforms as well as on ILP32 platforms. Use
that macro.
Make size-of-buffer arguments size_t.
Cast some size_t and ptrdiff_t values to u_int or int.
The exceptions are currently:
Some EXTRACT_ in print-juniper.c, not used on packet buffer pointer.
An EXTRACT_BE_U_3 in addrtoname.c, not always used on packet buffer
pointer.
Some versions of the MSVC runtime library have a non-C99-compliant
vsnprintf(), which we want to avoid. On Windows, use snprintf() and
vsnprintf() for VS 2015 and later, where they both exist in
C99-compliant forms, and wrap _{v}snprintf_s() otherwise (they're
guaranteed to do the null termination that we want).
This can prevent bizarre failures if, for example, you've done a
configuration in the top-level source directory, leaving behind one
config.h file, and then do an out-of-tree build in another directory,
with different configuration options. This way, we always pick up the
same config.h, in the build directory.
Now all the macros have a name meaning a count in bytes.
With _S_: signed, _U_: unsigned
e.g.:
EXTRACT_BE_32BITS -> EXTRACT_BE_U_4
EXTRACT_LE_32BITS -> EXTRACT_LE_U_4
...
EXTRACT_BE_INT32 -> EXTRACT_BE_S_4
and have:
EXTRACT_8BITS -> EXTRACT_U_1
EXTRACT_INT8 -> EXTRACT_S_1
This fixes a buffer over-read discovered by Kamil Frankowicz.
Don't pass the remaining caplen - that's too hard to get right, and we
were getting it wrong in at least one case; just use ND_TTEST().
Add a test using the capture file supplied by the reporter(s).
The source code comment explains it should fall through but GCC does not
pick it up, that's what the new macro is for.
./print-fr.c: In function ‘mfr_print’:
./print-fr.c:510:20: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (ie_len == sizeof(struct timeval)) {
^
./print-fr.c:521:13: note: here
case MFR_CTRL_IE_VENDOR_EXT:
^~~~
Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.
In ethertype_print(), isoclns_print() and snap_print() adjust the length
arithmetics along the same lines as for ether_print() in the previous
commit. Where done, the current pointer is not greater than snapend so
that the difference (i.e. caplen) is never negative.
This does not fix a reported issue but the problem was very likely to be
there.
If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.
Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.
Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.
Check the packet length and the snapshot length as we parse the packet.
Extract each field as we go.
Support arbitrary call reference lengths, 0 to 15 octets.
Handle single-octet IEs correctly - don't look for a length.
Handle both locking and non-locking shifts correctly. Don't assume that
the first octet after the message type is a shift and contains a
codeset. We were doing that, meaning that we tended to think codeset 1
was being used (by misparsing an IE with a code of 0x51 as a shift to
codeset 1) when it wasn't - codeset 0 was being used; correctly handle
codeset 0.
with the tag '\summary:' for greping.
Remark: Currently some printers have no summary line.
Moreover:
Summarize all printers with a single line in INSTALL.txt
Don't print LLC header information for SNAP packets; if we have a SNAP
header, just call snap_print() and return its return value, regardless
of whether it's 1 or 0, don't fall into the code to print raw LLC header
information - and don't print it with -e, either.
If llc_print() returns 0, just call the default packet printer, don't
print the MAC-layer header or the extracted ethertype - llc_print() will
print the source and destination MAC addresses and whatever type
information is in the LLC or SNAP headers.
If we don't know the DSAP/LSAP, and it's an information frame (numbered
or not) and not an XID frame, return 0, so that we give a hex dump of
the raw payload.
In addition, print the length when printing SNAP header information with
-e.
The purpose of this macro was to enable the file-by-file switch to NDO,
after which only tcpdump.c had a use of it and the definitions guarded
by it. Update tcpdump.c not to require them any more and dismiss the
unused definitions.
