mirror of
https://github.com/the-tcpdump-group/tcpdump.git
synced 2024-11-24 10:33:28 +08:00
83c64fce3a
The decoder didn't properly check that the PDU length stored in the PDU header is correct. The only check in place was in rpki_rtr_print() and it tested whether the length is zero but that is not sufficient. Make all necessary length and bounds checks, both generic and type-specific, in rpki_rtr_pdu_print() and reduce rpki_rtr_print() to a simple loop. This also fixes a minor bug and PDU type 0 (Serial Notify from RFC 6810 Section 5.2) is valid again. In rpki_rtr_pdu_print() any protocol version was considered version 0, fix it to skip the rest of input if the PDU protocol version is unknown. Ibid, the PDU type 10 (Error Report from RFC 6810 Section 5.10) case block didn't consider the "Length of Error Text" data element mandatory, put it right. Ibid, when printing an encapsulated PDU, give itself (via recursion) respective buffer length to make it possible to tell whether the encapsulated PDU fits. Do not recurse deeper than 2nd level. Update prior RPKI-Router test cases that now stop to decode earlier because of the stricter checks. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
120 B
120 B