RFC 6514 Section 4.6 defines the structure for Shared Tree Join (6) and
Source Tree Join (7) multicast VPN route types. decode_multicast_vpn()
didn't implement the Source AS field of that structure properly, adjust
the offsets to put it right.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
dhcpv4_print() in print-hncp.c had the same bug as dhcpv6_print(), apply
a fix along the same lines.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
hncp_print_rec() validates each HNCP TLV to be within the declared as
well as the on-the-wire packet space. However, dhcpv6_print() in the same
file didn't do the same for the DHCPv6 options within the HNCP
DHCPv6-Data TLV value, which could cause an out-of-bounds read when
decoding an invalid packet. Add missing checks to dhcpv6_print().
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s).
Do the length checking inline; that means we print stuff up to the point
at which we run out of option data.
First check to make sure we have at least 4 bytes of option, so we have
flags to check.
This fixes a buffer over-read discovered by Kim Gwan Yeong.
Add a test using the capture file supplied by the reporter(s).
Have ikev1_attrmap_print() and ikev1_attr_print() do full bounds
checking, and return null on a bounds overflow. Have their callers
check for a null return.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Some of them are variable-length, with a field giving the total length,
and therefore they can be shorter than 6 octets. If one is, don't run
past the end.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Move a return to make the code a bit cleaner (i.e., make it more obvious
that if we don't have enough of the PGM header, we just print the source
and destination IP addresses, mark it as incomplete PGM, and don't try
to look at the PGM header).
This fixes a buffer over-read discovered by Bhargava Shastry.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Update another VTP test's .out file for this change.
Don't treate a TLV type or length of 0 as invalid; a type of 0 should
just be reported as illegal if that type isn't used, and the length is
the length of the *value*, not the length of the entire TLV, so if it's
zero there won't be an infinite loop. (It's still not *legal*, as the
values of all the TLVs we handle are 1 16-bit word long; we added a
check for that.)
Update some comments while we're at it, to give a new URL for one Cisco
page and a non-Cisco URL for another former Cisco page (Cisco's UniverCD
pages don't seem to be available any more, and Cisco's robots.txt file
didn't allow the Wayback Machine to archive it).
Reverse the test in a for loop to test the length before testing whether
we have a null byte.
This fixes a buffer over-read discovered by Bhargava Shastry.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Clean up other length tests while we're at it.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Clean up some whitespace in tests/TESTLIST while we're at it.
Use ND_TCHECK macros to do bounds checking, and add length checks before
the bounds checks.
Add a bounds check that the review process found was missing.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Update one test output file to reflect the changes.
For configuration protocol options, use ND_TCHECK() and
ND_TCHECK_nBITS() macros, passing them the appropriate pointer argument.
This fixes one case where the ND_TCHECK2() call they replace was not
checking enough bytes.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
The total length of the OID is the OID length plus the length of the OID
length itself.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Add bounds checks, do a common check to make sure we captured the entire
subTLV, add checks to make sure the subTLV fits within the TLV.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.
Update existing tests for changes to IS-IS dissector.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Add #defines for option lengths or the lengths of the fixed-length part
of the option. Sometimes those #defines differ from what was there
before; what was there before was wrong, probably because the option
lengths given in RFC 3208 were sometimes wrong - some lengths included
the length of the option header, some lengths didn't.
Don't use "sizeof(uintXX_t)" for sizes in the packet, just use the
number of bytes directly.
For the options that include an IPv4 or IPv6 address, check the option
length against the length of what precedes the address before fetching
any of that data.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Always print the SNPA, and flag it as such; only print it as a MAC
address if it's 6 bytes long.
Identify the NET as such.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Yannick Formaggio.
Add a test using the capture file supplied by the reporter(s).
While we're at it, print a truncation error if the packets are
truncated, rather than just, in effect, ignoring the result of the
routines that print particular packet types.
If the protocol type isn't ETHERTYPE_IP or ETHERTYPE_TRAIL, or if the
protocol address length isn't 4, don't print the address as an IPv4 address.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Update another test file's tcpdump output to reflect this change.
Check before fetching the length from the included packet's IPv4 header.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
Also, make the buffer bigger.
This fixes a buffer overflow discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add a test using the capture file supplied by the reporter(s).
While we're at it:
Add a comment giving the RFC for IPv6 mobility headers.
Clean up some bounds checks to make it clearer what they're checking, by
matching the subsequent EXTRACT_ calls or memcpy.
For the binding update, if none of the flag bits are set, don't check
the individual flag bits.
offset has already been advanced to point to the bitmap; we shouldn't
add the amount to advance again.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add a test using the capture file supplied by the reporter(s).
While we're at it, remove some redundant tests - we've already checked,
before the case statement, whether we have captured the entire
information element and whether the entire information element is
present in the on-the-wire packet; in the cases for particular IEs, we
only need to make sure we don't go past the end of the IE.
The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.
This fixes a buffer over-read discovered by Yannick Formaggio.
Add a test using the capture file supplied by the reporter(s).
It's not good enough to check whether all the data specified by the AVP
length was captured - you also have to check whether that length is
large enough for all the required data in the AVP.
This fixes a buffer over-read discovered by Yannick Formaggio.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Do a lot more bounds and length checks.
Add a EXTRACT_8BITS() macro, for completeness, and so as not to confuse
people into thinking that, to fetch a 1-byte value from a packet, they
need to use EXTRACT_16BITS() to fetch a 2-byte value and then use
shifting and masking to extract the desired byte. Use that rather than
using EXTRACT_16BITS() to fetch a 2-byte value and then shifting and
masking to extract the desired byte.
Don't treat IPv4 addresses and unnumbered interface IDs the same; the
first should be printed as an IPv4 address but the latter should just be
printed as numbers. Handle IPv6 addresses in more object types while
we're at it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
In aodv_extension() do a bounds check on the extension header before we
look at it.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
While we're at it, add the RFC number, and check the validity of the
length for the Hello extension.
Also, put the buffer on the stack; no reason to make it static. (65
bytes isn't a lot.)
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
We've already advanced the pointer past the PAN ID, if present; it now
points to the address, so don't add 2 to it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
We've already advanced the pointer past the PAN ID, if present; it now
points to the address, so don't add 2 to it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
While we're at it, add a bunch of macros for the frame control field's
subfields, have the reserved frame types show the frame type value, use
the same code path for processing source and destination addresses
regardless of whether -v was specified (just leave out the addresses in
non-verbose mode), and return the header length in all cases.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
We do bounds checks based on the TLV length, so if the TLV's length is
too short, and we don't check for that, we could end up fetching data
past the end of the TLV - including past the length of the captured data
in the packet.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
If you have a
for (i = 0; i < N; i++)
loop, you'd better make sure that i is big enough to hold N - not N-1,
N.
The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop
counter will overflow and you can loop infinitely.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Clean up the output a bit while we're at it.
Probably a copy-and-pasteo.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
1) Take the length of the NSAP into account. Otherwise, if, in our
search of the hash table, we come across a byte string that's shorter
than the string we're looking for, we'll search past the end of the
string in the hash table.
2) The first byte of the byte string in the table is the length of the
NSAP, with the byte *after* that being the first byte of the NSAP, but
the first byte of the byte string passed into lookup_nsap() is the first
byte of the NSAP, with the length passed in as a separate argument. Do
the comparison correctly.
This fixes a vulnerability discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
While we're at it, clean up the fix to lookup_bytestring():
1) Get rid of an unused structure member and an unused #define.
2) Get rid of an incorrect "+ 1" when calculating the size of the byte
array to allocate - that was left over from the NSAP table, where the
length was guaranteed to fit in 1 byte and we used the first byte of the
array to hold the length of the rest of the array.
This is what BIND 9.11.0-P2 does; it not only detects pointers that
loop, as "point backwards" means "point before anything we've processed
so far, including what we're processing right now", so the pointer can't
point to itself (as that's what we're processing right now).
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
Also, add some infinite-pointer-loop captures.
More checks should be done. We might, for example, want to make sure
the upper 2 bits of the label length/pointer byte are 00 or 11, and that
if we encounter a pointer and jump backwards to what we think is a label
the label ends before the beginning of the last label we processed, to
make sure the pointer doesn't point backwards into the *middle* of a
label, and also make sure the entire name is <= 255 bytes long.
The loop can be executed more than once (that's kinda the whole point of
a loop), so the check has to be made each time through the loop, not
just once before the loop is executed.
Do some additional length checks while we're at it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
tcpdump printout for TCP-MD5 is different depending on whether it was
compiled with or without the crypto support. This means a standard test
with TCP-MD5 will always fail at least one of the cases (with and
without). Replace the standard test with two custom tests and run that
test that should pass but skip the other.
Do bounds checking as we access items.
Scan the list of netinfo6 entries based on the supplied packet length,
without taking the captured length into account; let the aforementioned
bounds checking handle that.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
Make sure that it always sends *endp before returning and that, for
invalid lengths where we don't like a character in the length string,
what it sets *endp to is past the character in question, so we don't
run the risk of infinitely looping (or doing something else random) if a
character in the length is invalid.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The closest thing to a specification for the contents of the payload
data is draft-ietf-ipsec-notifymsg-04, and nothing in there says that it
is ever a complete ISAKMP message, so don't dissect types we don't have
specific code for as a complete ISAKMP message.
While we're at it, fix a comment, and clean up printing of V1 Nonce,
V2 Authentication payloads, and v2 Notice payloads.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
The arguments to memcpy() were completely wrong.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
Use ND_TTEST() rather than comparing against ndo->ndo_snapend ourselves;
it's easy to get the tests wrong.
Check for running out of packet data before checking for running out of
captured data, and distinguish between running out of packet data (which
might just mean "no more strings") and running out of captured data
(which means "truncated").
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).
Add a test using the capture file supplied by the reporter(s).
rt6_print(), ah_print(), and esp_print() return -1 if they run up
against the end of the packet while dissecting; if that happens, stop
dissecting, don't try to fetch the next header value, because 1) *it*
might be past the end of the packet and 2) we won't be using it in any
case, as we'll be exiting the loop.
Also, change mobility_print() to return -1 if it runs up against the
end of the packet, and stop dissecting if it does so.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Otherwise, if, in our search of the hash table, we come across a byte
string that's shorter than the string we're looking for, we'll search
past the end of the string in the hash table.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add a test using the capture file supplied by the reporter(s).
If we're skipping over padding before the *real* flags, check whether
the real flags are in the captured data before fetching it. This fixes
a buffer over-read discovered by Kamil Frankowicz.
Note one place where we don't need to do bounds checking as it's already
been done.
Add a test using the capture file supplied by the reporter(s).
Fix the bounds checking for the NFSv3 WRITE procedure to check whether the
length of the opaque data being written is present in the captured data,
not just whether the byte count is present in the captured data.
furthest forward in the packet, not the item before it. (This also lets
us eliminate the check for the "stable" argument being present in the
captured data; rewrite the code to print that to make it a bit clearer.)
Check that the entire ar_stat field is present in the capture.
Note that parse_wcc_attr() is called after we've already checked whether
the wcc_data is present.
Check before fetching the "access" part of the NFSv3 ACCESS results.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Include a test for the "check before fetching the "access" part..." fix,
using the capture supplied by the reporter(s).
This fixes a buffer over-read discovered by Kamil Frankowicz.
Don't pass the remaining caplen - that's too hard to get right, and we
were getting it wrong in at least one case; just use ND_TTEST().
Add a test using the capture file supplied by the reporter(s).
Report if it's not, and don't use it as an out-of-bounds index into an
array.
This fixes a buffer overflow discovered by Wilfried Kirsch.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data. This means we should check that we're within the
specified limit before looking at the byte.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
Check whether the flags are in the captured data before printing them in
an MSTP BPDU.
Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.
Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.
These tests may be performed in an arbitrary time zone, so they *must*
run tcpdump with an option to print the time in a time-zone-independent
fashion. Force -t on in TESTonce, just as we do for -n, and remove it
from TESTLIST and the conditional test scripts.
The draft-ietf-idr-shutdown-07 document specifies a mechanism to
transmit a short free form UTF-8 [RFC3629] message as part of a Cease
NOTIFICATION message [RFC4486] to inform the peer why the BGP session is
being shutdown or reset.
Hat tip to Peter van Dijk <peter.van.dijk@powerdns.com>
The function sig_print() did receive a correct caplen parameter value
but didn't use it correctly and could overread by one byte as Brian
Carpenter has demonstrated. Fix it by switching to the standard macros.
Kamil Frankowicz had found that truncated BE_STR and BE_SEQ ASN.1
elements could lead to an overread, from the source code it looked like
other ids could have this problem too. Move the checks introduced in
commit 72e501f out of the switch blocks to cover all ids by default.
This fixes GH#559 and GH#566.
Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.
gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.
Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
Interleave the bounds checking with printing to make it visible which
last protocol field was OK. This fixes a vulnerability discovered by
Brian Carpenter.
Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.
Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.
Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.
Use fn_printzp().
Moreover:
Add a missing comma in output.
Use ND_TCHECK_32BITS instead of ND_TTEST_32BITS.
Add a test for spb_bpduv4.pcap with verbose output.
It can't be told to stop at the end of the packet data. Add a
fn_printztn() that prints null-terminated strings, with a length check,
and which returns the number of bytes processed, or 0 if we ran out of
data. That means it does the scanning we need, but safely.
Use it in the TFTP and BOOTP printers.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
It might not be, either because an unusual hardware type is using ARP or
because a maliciously-constructed packet was sent. Instead of comparing
against a 6-octet string of zeros with memcmp(), check each octet of the
address against 0.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
The bounds checks fix some heap overflows found with American Fuzzy Lop
by Hanno Böck.
Add some ND_TTEST_/ND_TCHECK_ macros to extract.h to simplify writing
bounds checks for code that uses the other macros in that file.
Fix the printing of the SPB BPDU agreement digest - I don't think the
intent was to print the value of the first 4 bytes, that value + 4, that
value + 8, etc., I suspect it was to print the first 4 bytes, the next 4
bytes, etc..
Bad Things could happen, e.g. the dissector we call thinking it's been
handed an IPv6 header when we haven't handed it anything that large.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
Update some .out files to correspond to that change.
If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.
Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.
Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.
