Catch INTEGER values with a length of 0, so we don't fetch a byte that
doesn't belong to the value.
Fix what appears to be a long-standing bug in the OID prefix matching
code, wherein the length of the *first* prefix in the table is used as
the length of *all* prefixes, and add some packet-length checking to
that list.
Report packets with an invalid SNMP version number as being SNMP, so
we at least indicate *that*.
At the beginning, make sure the on-the-wire length is >= the size of the
EGP header, and make sure the captured data is >= the size of the EGP
header, rather than making sure we have all the captured data, as we're
only looking at the header there.
Do on-the-wire length checking in egpnrprint().
If the L of the V of the TLV isn't large enough for everything it's
supposed to contain, just quit processing the TLV, print its contents in
hex, and process the next TLV.
Add multiple bounds and length checks to make sure we don't run past the
end of the packet.
Don't check the length of "end of TLV" indicators; 802.3 says it should
be ignored.
The Event Notification OAMPDU has a sequence number; report it.
print-lspping.c was written to one of the draft-ietf-mpls-lsp-ping-13
drafts; incorporate subsequent changes that are in RFC 4379. Not all
LV and subTLV types from that RFC are currently dissected.
Apparently, the IANA has two separate but similar registries, the BGP
Layer 2 Encapsulation Types registry and the MPLS Pseudowire Types
registry. Have two separate tables for them, and use the tables as
appropriate. Update them to match the current state of the registries.
11 is not the subTLV code for "BGP labeled IPv4 prefix" (and never was,
from what I can tell from looking at the I-Ds), 12 is.
Do more bounds checking.
Pull the code in asn1_print() to print octet sequences and (presumed)
printable strings into routines of their own, and use them when we're
printing them outside asn1_print().
That fixes some cases where we can run past the end of the packet
buffer.
NFSv2 file handles are always 32 bytes long, possibly with zero padding
at the end.
NFSv3 file handles are variable-length, however, so we cannot assume
that they have any minimum number of bytes of data; check that bytes
are present before looking at them.
Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.
Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.
Use fn_printzp().
Moreover:
Add a missing comma in output.
Use ND_TCHECK_32BITS instead of ND_TTEST_32BITS.
Add a test for spb_bpduv4.pcap with verbose output.
They will be always usable with the upcoming libpcap versions sanity checks.
pcap: old version: 12336.12336, new version: 2.4
pcap-ng: old version: 1.12336, new version: 1.0
If it's not < 0, it's not -2147483648; check for negative values first.
Don't calculate the value for -2147483648 by hand, print a - and then
have unsigned_relts_print() calculate the value for 2147483648.
Have signed_relts_print() just call unsigned_relts_print() to do the
formatting, once it's ensured that the value is positive and printed a
leading minus sign if necessary.
Have separate routines for signed and unsigned relative time stamps.
Have the routine for signed time stamps handle the case of -2^31, where
you can't negate it and have the result fit in a 32-bit signed integer.
There are currently no users of the signed relative time stamp routine,
but it's there in case anybody needs it (and is passing 32-bit
quantitites, so that there's a risk that a packet might contain -2^31 as
the time stamp).
Fixes an array overflow found with American Fuzzy Lop by Hanno Böck.
It can't be told to stop at the end of the packet data. Add a
fn_printztn() that prints null-terminated strings, with a length check,
and which returns the number of bytes processed, or 0 if we ran out of
data. That means it does the scanning we need, but safely.
Use it in the TFTP and BOOTP printers.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
It might not be, either because an unusual hardware type is using ARP or
because a maliciously-constructed packet was sent. Instead of comparing
against a 6-octet string of zeros with memcmp(), check each octet of the
address against 0.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
The bounds checks fix some heap overflows found with American Fuzzy Lop
by Hanno Böck.
Add some ND_TTEST_/ND_TCHECK_ macros to extract.h to simplify writing
bounds checks for code that uses the other macros in that file.
Fix the printing of the SPB BPDU agreement digest - I don't think the
intent was to print the value of the first 4 bytes, that value + 4, that
value + 8, etc., I suspect it was to print the first 4 bytes, the next 4
bytes, etc..
