tcpdump printout for TCP-MD5 is different depending on whether it was
compiled with or without the crypto support. This means a standard test
with TCP-MD5 will always fail at least one of the cases (with and
without). Replace the standard test with two custom tests and run that
test that should pass but skip the other.
Do bounds checking as we access items.
Scan the list of netinfo6 entries based on the supplied packet length,
without taking the captured length into account; let the aforementioned
bounds checking handle that.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
Make sure that it always sends *endp before returning and that, for
invalid lengths where we don't like a character in the length string,
what it sets *endp to is past the character in question, so we don't
run the risk of infinitely looping (or doing something else random) if a
character in the length is invalid.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The closest thing to a specification for the contents of the payload
data is draft-ietf-ipsec-notifymsg-04, and nothing in there says that it
is ever a complete ISAKMP message, so don't dissect types we don't have
specific code for as a complete ISAKMP message.
While we're at it, fix a comment, and clean up printing of V1 Nonce,
V2 Authentication payloads, and v2 Notice payloads.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The arguments to memcpy() were completely wrong.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
Use ND_TTEST() rather than comparing against ndo->ndo_snapend ourselves;
it's easy to get the tests wrong.
Check for running out of packet data before checking for running out of
captured data, and distinguish between running out of packet data (which
might just mean "no more strings") and running out of captured data
(which means "truncated").
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).
Add a test using the capture file supplied by the reporter(s).
Don't fetch the length field from the header until after we've checked
for the existence of a field at or after that field.
(Found by code inspection, not by a capture.)
rt6_print(), ah_print(), and esp_print() return -1 if they run up
against the end of the packet while dissecting; if that happens, stop
dissecting, don't try to fetch the next header value, because 1) *it*
might be past the end of the packet and 2) we won't be using it in any
case, as we'll be exiting the loop.
Also, change mobility_print() to return -1 if it runs up against the
end of the packet, and stop dissecting if it does so.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Otherwise, if, in our search of the hash table, we come across a byte
string that's shorter than the string we're looking for, we'll search
past the end of the string in the hash table.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
If we're skipping over padding before the *real* flags, check whether
the real flags are in the captured data before fetching it. This fixes
a buffer over-read discovered by Kamil Frankowicz.
Note one place where we don't need to do bounds checking as it's already
been done.
Add a test using the capture file supplied by the reporter(s).
Fix the bounds checking for the NFSv3 WRITE procedure to check whether the
length of the opaque data being written is present in the captured data,
not just whether the byte count is present in the captured data.
furthest forward in the packet, not the item before it. (This also lets
us eliminate the check for the "stable" argument being present in the
captured data; rewrite the code to print that to make it a bit clearer.)
Check that the entire ar_stat field is present in the capture.
Note that parse_wcc_attr() is called after we've already checked whether
the wcc_data is present.
Check before fetching the "access" part of the NFSv3 ACCESS results.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Include a test for the "check before fetching the "access" part..." fix,
using the capture supplied by the reporter(s).
This fixes a buffer over-read discovered by Kamil Frankowicz.
Don't pass the remaining caplen - that's too hard to get right, and we
were getting it wrong in at least one case; just use ND_TTEST().
Add a test using the capture file supplied by the reporter(s).
Prevent a possible buffer overread in chdlc_print() and replace the
custom check in chdlc_if_print() with a standard check in chdlc_print()
so that the latter certainly does not over-read even when reached via
juniper_chdlc_print(). Add length checks.
If it returns -1, it's an error; report the error.
If it returns 0, but the list is empty, that's not an error in
pcap_findalldevs(); report it explicitly as "no interfaces available for
capture".
[print-atalk.c:283]: (style) The scope of the variable 'c' can be
reduced.
[print-atalk.c:380]: (style) The scope of the variable 'c' can be
reduced.
[print-atalk.c:360]: (style) Variable 'c' is assigned a value that is
never used.
[print-forces.c:316] -> [print-forces.c:323]: (warning) Shifting 32-bit
value by 32767 bits is undefined behaviour. See condition at line 323.
[print-forces.c:316]: (error) Shifting by a negative value is undefined
behaviour
[print-syslog.c:98]: (style) Array index 'msg_off' is used before limits
check.
Even though this is a false positive in this specific case, let's not
have it around, this will make it less likely missing a real one.
This change adds checks that were missing from the recent NTP code and
could cause a buffer over-read vulnerability (see earlier commits for
rationale).
Rename NTP_MSG_MINLEN to NTP_TIMEMSG_MINLEN for clarity and introduce and
use NTP_CTRLMSG_MINLEN. With this change ntp_control_print() can detect
invalid packets better.
In print-ntp.c:
Rename struct ntpdata into struct ntp_time_data and add new
struct ntp_control_data to map NTP Control messages.
Add figure of NTP Control Message Header as comment.
Add union ntpdata to provide a common view on NTP messages.
Rename ntp_print() to ntp_time_print(), using new structures.
Improve comment and re-arrange fields in ntp_print().
Add ntp_control_print() to handle NTP Control Messages.
Output R, E, M, OpCode, Sequence, Status, Assoc, Offset, and Count in
ntp_control_print().
A new ntp_print() will decode only the very basics (VN, LI and Mode)
to call ntp_time_print() or ntp_control_print(), depending on Mode.
poll() is a system API on UN*Xes, so calling a variable "poll" causes
"declaration of 'poll' shadows a global declaration" warnings in some
compilers. Call the argument "poll_interval" instead.
Report if it's not, and don't use it as an out-of-bounds index into an
array.
This fixes a buffer overflow discovered by Wilfried Kirsch.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
