The loop can be executed more than once (that's kinda the whole point of
a loop), so the check has to be made each time through the loop, not
just once before the loop is executed.
Do some additional length checks while we're at it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
tcpdump printout for TCP-MD5 is different depending on whether it was
compiled with or without the crypto support. This means a standard test
with TCP-MD5 will always fail at least one of the cases (with and
without). Replace the standard test with two custom tests and run that
test that should pass but skip the other.
Do bounds checking as we access items.
Scan the list of netinfo6 entries based on the supplied packet length,
without taking the captured length into account; let the aforementioned
bounds checking handle that.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
Make sure that it always sends *endp before returning and that, for
invalid lengths where we don't like a character in the length string,
what it sets *endp to is past the character in question, so we don't
run the risk of infinitely looping (or doing something else random) if a
character in the length is invalid.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The closest thing to a specification for the contents of the payload
data is draft-ietf-ipsec-notifymsg-04, and nothing in there says that it
is ever a complete ISAKMP message, so don't dissect types we don't have
specific code for as a complete ISAKMP message.
While we're at it, fix a comment, and clean up printing of V1 Nonce,
V2 Authentication payloads, and v2 Notice payloads.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The arguments to memcpy() were completely wrong.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
Use ND_TTEST() rather than comparing against ndo->ndo_snapend ourselves;
it's easy to get the tests wrong.
Check for running out of packet data before checking for running out of
captured data, and distinguish between running out of packet data (which
might just mean "no more strings") and running out of captured data
(which means "truncated").
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).
Add a test using the capture file supplied by the reporter(s).
rt6_print(), ah_print(), and esp_print() return -1 if they run up
against the end of the packet while dissecting; if that happens, stop
dissecting, don't try to fetch the next header value, because 1) *it*
might be past the end of the packet and 2) we won't be using it in any
case, as we'll be exiting the loop.
Also, change mobility_print() to return -1 if it runs up against the
end of the packet, and stop dissecting if it does so.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Otherwise, if, in our search of the hash table, we come across a byte
string that's shorter than the string we're looking for, we'll search
past the end of the string in the hash table.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
If we're skipping over padding before the *real* flags, check whether
the real flags are in the captured data before fetching it. This fixes
a buffer over-read discovered by Kamil Frankowicz.
Note one place where we don't need to do bounds checking as it's already
been done.
Add a test using the capture file supplied by the reporter(s).
Fix the bounds checking for the NFSv3 WRITE procedure to check whether the
length of the opaque data being written is present in the captured data,
not just whether the byte count is present in the captured data.
furthest forward in the packet, not the item before it. (This also lets
us eliminate the check for the "stable" argument being present in the
captured data; rewrite the code to print that to make it a bit clearer.)
Check that the entire ar_stat field is present in the capture.
Note that parse_wcc_attr() is called after we've already checked whether
the wcc_data is present.
Check before fetching the "access" part of the NFSv3 ACCESS results.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Include a test for the "check before fetching the "access" part..." fix,
using the capture supplied by the reporter(s).
This fixes a buffer over-read discovered by Kamil Frankowicz.
Don't pass the remaining caplen - that's too hard to get right, and we
were getting it wrong in at least one case; just use ND_TTEST().
Add a test using the capture file supplied by the reporter(s).
Report if it's not, and don't use it as an out-of-bounds index into an
array.
This fixes a buffer overflow discovered by Wilfried Kirsch.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
Check whether the flags are in the captured data before printing them in
an MSTP BPDU.
Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.
Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.
crypto.sh ran its tests as expected but only indicated a failure
upstream when the last test failed. Add necessary checks and modify
the other "complex" tests in a similar manner to make sure the same
bug does not creep into these scripts later. Fix some indentation
while at it.
These tests may be performed in an arbitrary time zone, so they *must*
run tcpdump with an option to print the time in a time-zone-independent
fashion. Force -t on in TESTonce, just as we do for -n, and remove it
from TESTLIST and the conditional test scripts.
Check the packet length as well as the captured length.
Don't have separate "non-verbose" and "verbose" cases, so we don't
duplicate the length checks.
Print the right value for some length check errors.
Clean up the TLV parsing code - keep parsing until we completely run out
of data, but make sure, before we look at the TLV header, that we
haven't run past the end of the packet as well as that we haven't run
past the end of the captured data.
In the OSI checksum routine:
Have it take an unsigned length, so we don't have to worry about it
being negative.
Use ND_TTEST2 to check whether the checksum offset is within the
bounds of the packet.
If we don't have all the packet data to checksum, just report
"unverified", don't return a "truncated" error.
The draft-ietf-idr-shutdown-07 document specifies a mechanism to
transmit a short free form UTF-8 [RFC3629] message as part of a Cease
NOTIFICATION message [RFC4486] to inform the peer why the BGP session is
being shutdown or reset.
Hat tip to Peter van Dijk <peter.van.dijk@powerdns.com>
The function sig_print() did receive a correct caplen parameter value
but didn't use it correctly and could overread by one byte as Brian
Carpenter has demonstrated. Fix it by switching to the standard macros.
Kamil Frankowicz had found that truncated BE_STR and BE_SEQ ASN.1
elements could lead to an overread, from the source code it looked like
other ids could have this problem too. Move the checks introduced in
commit 72e501f out of the switch blocks to cover all ids by default.
This fixes GH#559 and GH#566.
Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.
gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.
Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
Interleave the bounds checking with printing to make it visible which
last protocol field was OK. This fixes a vulnerability discovered by
Brian Carpenter.
Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.
Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
As it was correctly pointed out in GitHub issue #516, the TCPOPT_TCPAO
(formerly TCPOPT_AUTH) case had an issue with option length processing,
though without significant consequences thanks to a check elsewhere.
Besides that, the old code (introduced in 2005) decoded a structure
similar to a proposed encoding variant of the early (first published in
2007) revisions of the Internet-Draft but different from the encoding
of RFC 5925 (published in 2010). These issues are now addressed and the
TCP option renamed to TCP-AO.
Edit the .pcap file to change the TCP option kind from 20 to 29 to
match the changes done to the decoder. Now the code flow and hence
the text output are back to how they were before that change.
Don't call strtol() on the contents of a packet; there is *no* guarantee
that it won't run past the end of the buffer, as the buffer isn't a
null-terminated string. Instead, have our own routine to parse ASCII
numbers (based on the FreeBSD strtol()), which uses ND_TCHECK() and
checks against the on-the-wire length to ensure it doesn't go past the
end of the packet or the end of the captured data. Have it check for
other errors as well, such as checking for negative lengths that aren't
-1.
Clean up other aspects of the packet parsing. Have them check the
on-the-wire length as well as the captured length.
Update the results of the resp_3 test.
Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.
Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.
Use fn_printzp().
Moreover:
Add a missing comma in output.
Use ND_TCHECK_32BITS instead of ND_TTEST_32BITS.
Add a test for spb_bpduv4.pcap with verbose output.
They will be always usable with the upcoming libpcap versions sanity checks.
pcap: old version: 12336.12336, new version: 2.4
pcap-ng: old version: 1.12336, new version: 1.0
It can't be told to stop at the end of the packet data. Add a
fn_printztn() that prints null-terminated strings, with a length check,
and which returns the number of bytes processed, or 0 if we ran out of
data. That means it does the scanning we need, but safely.
Use it in the TFTP and BOOTP printers.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
It might not be, either because an unusual hardware type is using ARP or
because a maliciously-constructed packet was sent. Instead of comparing
against a 6-octet string of zeros with memcmp(), check each octet of the
address against 0.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
The bounds checks fix some heap overflows found with American Fuzzy Lop
by Hanno Böck.
Add some ND_TTEST_/ND_TCHECK_ macros to extract.h to simplify writing
bounds checks for code that uses the other macros in that file.
Fix the printing of the SPB BPDU agreement digest - I don't think the
intent was to print the value of the first 4 bytes, that value + 4, that
value + 8, etc., I suspect it was to print the first 4 bytes, the next 4
bytes, etc..
Bad Things could happen, e.g. the dissector we call thinking it's been
handed an IPv6 header when we haven't handed it anything that large.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
Update some .out files to correspond to that change.
If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.
Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.
Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.
The changes associated with this commit introduce the IANA subtree
for LLDP and its first element, the MUDURL, as documented in
draft-ietf-opsawg-mud. This is similar to the changes made for
DHCP and DHCPv6.
[updated to use fn_printn]
Moreover:
Add test files with 'Simple Password', 'Keyed MD5' and
'Meticulous Keyed SHA1' authentications.
Update specification from draft to RFC 5881 for BFD_CONTROL_PORT and
BFD_ECHO_PORT in udp.h.
Add specification RFC 5881 in print-bfd.c.
This commit adds support for RESP as defined in: http://redis.io/topics/protocol.
It also supports inline commands and pipelining. Due to the popularity of RESP,
numerous services are emerging that use this protocol. You may decode RESP packets
on arbitrary ports using the "-T resp" option.
Example captures can be found in tests/resp_*.
A simple way to test this parser is to start redis-server and then run
redis-cli commands such as "redis-cli set key value".
Traditionally, redis-cli monitor is used to debug redis. Unfortunately,
the "monitor" command can cause significant load on a redis-server in
production. This parser may be used as a non-invasive alternative to
redis-cli monitor.
Process bits 29, 30, and 31 in code that's independent of what namespace
we're in:
If we're switching to the radiotap namespace, reset the bit numbers to
start back at 0.
If we're switching to a vendor namespace, get the vendor OUI and
subspace, and the skip length.
Keep trace of which namespace we're in.
If we're *in* a vendor namespace, skip over the data specified by the
skip length (and reset it, as we've processed all the vendor namespace
data and, if there's a subsequent bitmap in the same namespace,
there's nothing more to process. Use cpack_align_and_reserve() to
skip that, so we check that we don't go past the end of the packet
data.
Fixes GitHub tcpdump issue #498.
This removes some bogus errors; update the test output to reflect that.
Reference: IEEE Std 802.3-2012
"If the value of this field is less than or equal to 1500 decimal
(05DC hexadecimal), then the Length/Type field indicates the number
of MAC client data octets contained in the subsequent MAC Client Data
field of the basic frame (Length interpretation)."
Update the output of a test accordingly.
Moreover:
Update reference from draft to RFC5171.
Add bounds and length checks.
Fix TLV length printout. It is the length of the type, length, and value
fields.
Filter out non-printable characters.
Print the Echo TLV with fn_printn(). Note: The format of this list of ID
pairs is not documented in the RFC.
Update the output of a test accordingly.
Add and use istr[] and tstr[] strings.
Comment on the TLV format.
Update some comments.
Moreover:
Add/fix a lot of bounds and length checks.
Add and use tstr[] string.
Fix some typos.
Update the output of a test according to these changes.
Fixing Travis CI build for LISP commit
Adding testcases for lisp notify and register
Fixing build warnings
Added ND_TCHECK for relevant headers
Fixing ND_TCHECK2 issues
Adding support for multiple LOC records for same EID entry
Fixing review issues, adding detailed tests
Adding support for verbose outputs
Adding RFC information for UDP PORT defination
Removing Spaces in type names
Print EID record related flags in verbose mode
Using tok2str
Fixing -Wpedantic issues
Negative testcases, Packet structure comments, verbose mode flag printing
Printing Map Version
Print auth_data, decouple type and xtr_present extraction, handle malformed packets correctly
Tests for latest code changes
Printing useful info incase not built with IPv6 support
