Replace more calls to ipaddr_string()/ip6addr_string() with calls to
GET_IPADDR_STRING()/GET_IP6ADDR_STRING() macros performing bounds
checking.
Add similar bounds-checking inline functions and macros to wrap
linkaddr_string(), etheraddr_string(), and isonsap_string() and convert
calls to them to use the macros as well.
Shuffle the inline functions in addrtoname.h around a bit, so that the
inline functions, external declarations, and macros are all in the same
order.
That means that we do some buffering of packets. It also means we don't
depend on the immediate-mode APIs being available.
While we're at it, use the short timeout if we're doing text output in
"line-buffered mode" as well as if we're doing it to a terminal.
Replace calls to ipaddr_string()/ip6addr_string() with calls to
GET_IPADDR_STRING()/GET_IP6ADDR_STRING() macros performing bounds
checking.
Fix a regression in 78a4ee8222.
This fixes a buffer over-read in ldp_tlv_print() discovered by
Jason Xiaole.
Add a test using the capture file supplied by the reporter updated
to keep only the packet showing the buffer over-read.
At least as I read RFC 5996 section 3.14 and RFC 4303 section 2.4, if
the cipher has a block size of which the ciphertext's size must be a
multiple, the payload must be padded to make that happen, so the
ciphertext length must be a multiple of the block size. Instead of
allocating a buffer, copying the ciphertext to it, and padding it to the
block size, fail if its size isn't a multiple of the block size.
(Note also that the old padding code added a block's worth of padding to
the end of a ciphertext block that *was* a multiple of the cipher block
size; this might have caused problems.)
Don't use the undocumented EVP_Cipher(); the lack of documentation means
a lack of information about whatever requirements it might impose. Use
EVP_DecryptUpdate() instead.
Before calling it, use EVP_CIPHER_CTX_set_padding() to say "don't do
your own padding, this block is a multiple of the cipher block size".
Instead of using EVP_CipherInit() or EVP_CipherInit_ex(), use
EVP_DecryptInit() or EVP_DecryptInit_ex(). as we're always doing
decryption and never doing encryption - the extra parameter to
EVP_CipherInit() and EVP_CipherInit_ex() is always 0.
This may address GitHub issue #814.
It may also make it a bit easier to have the code use Common Crypto on
macOS (rather than requiring that OpenSSL be installed - macOS ships
with an OpenSSL shared library for binary compatibility with older
releases, but doesn't ship with the headers, because Apple wants you
using their crypto code) and use Cryptography API: Next Generation on
Windows (Vista/Server 2008 and later) (rather than requiring a Windows
build of OpenSSL).
(Hopefully this will all work with LibreSSL.)
If you split a string by overwriting the separator character with a NUL,
and you want to compare the first part with various values, use a
pointer to the beginning of the string, not to the NUL you just dropped
in.
This is a bug found while testing some cleanups for GitHub issue #814;
it's necessary for the cleanups to work.
It's *not* just a number like 0. That *happens* to work, because, even
though LINKADDR_ETHER is currently 0, linkaddr_string() handles link
addresses of type LINKADDR_ETHER with a length other than 6 octets as
just a collection of octets, but we shouldn't *rely* on that.
nd_ipv4 was created for an unaligned field access inside of packet data,
so it should not be used for the rx_cache_entry. Use uint32_t, and use
GET_IPV4_TO_NETWORK_ORDER instead of UNALIGNED_MEMCPY() to get the data
into them.
If you call pcap_activate() and it fails, you still have a pcap_t from
pcap_create(), and should close it.
Moving the code after the error() calls doesn't make a difference, as
error() exits, but it may make it clearer to those reading tcpdump.c for
help in figuring out how to use libpcap that you should close the pcap_t
if pcap_activate() fails.
(In the future, there may also be the option of changing some options
and trying again, e.g. changing the user name or password for a remote
capture.)
- the print routines for ptp different ptp messages
- test completed for sync message, announce message, delay request message,
delay response message and follow up message.
- integration of the ptp v2 code with the tcpdump code.
Signed-off-by: Partha S. Ghosh <psglinux@gmail.com>
Have roundup2() cast the power-of-2 argument to u_int; that way, you
don't have to explicitly define it as an unsigned value in order to
avoid compiler or UBSan complaints about signed integers.
Use it instead of rolling our own rounding-to-a-power-of-2.
The error were like:
print-isoclns.c:2583:20: runtime error: unsigned integer overflow:
20 - 27 cannot be represented in type 'unsigned int'
print-isoclns.c:2525:20: runtime error: unsigned integer overflow:
0 - 20 cannot be represented in type 'unsigned int'
Update the output of two tests accordingly.
These capture files triggered a buffer over-read fixed by
6f2cd8cee6.
Two pcap files were updated to pass the sanity checks.
Update the outputs of the tests accordingly.
These capture files triggered a buffer over-read or a segmentation fault
with the 4.9.2 release fixed in the 4.9.3 release.
These errors were fixed in master branch by commit
daa343d8e2.
Update the outputs of the tests accordingly.
Partial update from b8f025d17f
in 4.9 branch.
The only function tcpdump used in libdnet was dnet_htoa(), which tries
to translate a binary DECnet address to a nodename through a lookup in
/etc/decnet.conf. The translation is slow and has a bug, so stop using
the function and remove the dependency on libdnet.
This makes tcpdump always print DECnet addresses in numeric format, if
anybody needs the translation back they are welcome to fix libdnet or
(more realistically) add an implementation of dnet_htoa() to the tcpdump
source code and use it.
(This is a forward-port of commit 9a6eb27 from tcpdump-4.9 to master.
Sadly, together with libdnet this change removes the fine work that Guy
had done in the master branch in commits ebf3f19 and 4ef8d63 to put
libdnet usage right whilst my original "do not use libdnet" commit was
aging in the pipeline.)
These changes avoid some pcap_loop() errors messages like:
"tcpdump: pcap_loop: invalid packet capture length X, bigger than
snaplen of Y"
or
"tcpdump: pcap_loop: truncated dump file; tried to read X header
bytes, only got Y"
Update the output of the tests accordingly (no more "EXIT CODE" line).
Remove the no more useful .out.stderr files.
These changes avoid some pcap_loop() errors messages like:
"tcpdump: pcap_loop: invalid packet capture length X, bigger than
snaplen of Y"
or
"tcpdump: pcap_loop: truncated dump file; tried to read X captured
bytes, only got Y"
The outputs of the tests are unchanged.
Remove the no more useful -c options in the test configurations.
This capture file triggered a buffer over-read with the 4.9.2 release
fixed in the 4.9.3 release.
The problem was fixed in master branch by commit
09822d484b.
Update the output of the test accordingly.
Update from b35eb4c163
in 4.9 branch.
These are tests for print-smb.c:print_trans().
These capture files triggered a buffer over-read fixed by
50f375f9f1.
The pcap files were updated to avoid pcap_loop() error messages.
Update the output of the tests accordingly.
Update from 4bfd71eee4
in 4.9 branch.
We need to ensure that buf2 is set even if we have too many nested "*"s
in an SMB format string.
Add comments to further explain that code.
Cherry picked from 9e49bfe4b9
in 4.9 branch.
Enforce a limit on how many times smb_fdata() can recurse.
This change fixes CVE-2018-16452.
This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
Cherry picked from 24182d959f
in 4.9 branch.
Enforce a limit on how many times bgp_attr_print() can recurse.
This change fixes CVE-2018-16300.
This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
Cherry picked from af2cf04a93
in 4.9 branch.
In babel_print_v2() check that the Babel packet body length does not
exceed the outer UDP packet payload. This helps to detect some invalid
packets earlier but does not fix a known vulnerability.
Update the output of a test accordingly.
Cherry picked from 651020754a
in 4.9 branch.
This capture file triggered a buffer over-read with the 4.9.2 release
fixed in the 4.9.3 release.
With the new GET_ macros, the problem no longer exists.
Thus no fix needed.
The pcap file was updated to pass the sanity checks and to avoid
pcap_loop() error messages.
Moreover:
Fix an existing length check.
Update the output of the test accordingly.
Partial update from 12f66f69f7
in 4.9 branch.
This change fixes CVE-2018-14879.
get_next_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \0. This caused an out-of-bounds read and could cause a
write. Add the missing check.
This vulnerability was discovered by Brian Carpenter & Geeknik Labs.
Cherry picked from 9ba9138195
in 4.9 branch.
This capture file triggered a buffer over-read with the 4.9.2 release
and was fixed in the 4.9.3 release.
The problem was fixed in master branch by commit
ad69daa2e4.
Update the output of the test accordingly.
Partial update from 1ccaff3764
in 4.9 branch.
This capture file triggered a buffer over-read with the 4.9.2 release
and was fixed in the 4.9.3 release.
The problem was fixed in master branch by commit
6df4852ec3.
The pcap file was updated to avoid pcap_loop() error messages.
Update the output of the test accordingly.
Partial update from 211124b972
in 4.9 branch.
This capture file triggered a buffer over-read with the 4.9.2 release
fixed in the 4.9.3 release.
With a previous fix (3f1c4af001),
the problem no longer exists.
The pcap file was updated to pass the sanity checks and to avoid
pcap_loop() error messages.
Update the output of the test accordingly.
Partial update from 4846b3c5d0
in 4.9 branch.
This capture file triggered a buffer over-read with the 4.9.2 release
fixed in the 4.9.3 release.
With a previous update (511915bef7),
the problem no longer exists.
Thus no fix needed.
The pcap file was renamed from pcapng to pcap because it is.
Update the output of the test accordingly.
Partial update from 83a412a527
in 4.9 branch.
