diff options
| author | pfg <pfg@FreeBSD.org> | 2015-01-31 16:34:39 +0000 |
|---|---|---|
| committer | pfg <pfg@FreeBSD.org> | 2015-01-31 16:34:39 +0000 |
| commit | 78884a33497c94ab855e6e2496fc113612b3aea6 (patch) | |
| tree | f46d7ea2dedfde6a94703a6c5f21238decc4168f /contrib/tcpdump | |
| parent | b40768965e0f397f6ddf43347826c0ef370974eb (diff) | |
| download | FreeBSD-src-78884a33497c94ab855e6e2496fc113612b3aea6.zip FreeBSD-src-78884a33497c94ab855e6e2496fc113612b3aea6.tar.gz | |
MFV r277981:
Upstream fixes for issues found with afl (Issue #417).
- Fix length checking.
Check both the captured length and the on-the-wire length (the latter
*should* be greater than or equal to the former, but that's not
guaranteed).
Add some additional length checks, so neither caplen nor length
underflow.
If we stop dissecting because the packet is too short, return 1, not 0,
as we've "dissected" what we can; 0 means "this is LLC+SNAP with an OUI
of 0 and an unknown Ethertype".
commit: 743bcecdc92f88b118ec7aac4f68b606601205cc
- Clean up length checks.
Check only the amount of length that matters at any given point; yes,
this means we do multiple checks, but so it goes.
We don't need to check for LLC+SNAP - llc_print() does that for us. We
do, however, need to check to make sure we can safely skip the Fore
header.
commit: 5c65e7532fa16308e01299988852b0dc5b027559
Diffstat (limited to 'contrib/tcpdump')
| -rw-r--r-- | contrib/tcpdump/print-atm.c | 15 | ||||
| -rw-r--r-- | contrib/tcpdump/print-llc.c | 15 |
2 files changed, 25 insertions, 5 deletions
diff --git a/contrib/tcpdump/print-atm.c b/contrib/tcpdump/print-atm.c index b352579..1676a86 100644 --- a/contrib/tcpdump/print-atm.c +++ b/contrib/tcpdump/print-atm.c @@ -167,7 +167,7 @@ atm_if_print(netdissect_options *ndo, uint32_t llchdr; u_int hdrlen = 0; - if (caplen < 8) { + if (caplen < 1 || length < 1) { ND_PRINT((ndo, "%s", tstr)); return (caplen); } @@ -181,6 +181,15 @@ atm_if_print(netdissect_options *ndo, } /* + * Must have at least a DSAP, an SSAP, and the first byte of the + * control field. + */ + if (caplen < 3 || length < 3) { + ND_PRINT((ndo, "%s", tstr)); + return (caplen); + } + + /* * Extract the presumed LLC header into a variable, for quick * testing. * Then check for a header that's neither a header for a SNAP @@ -207,6 +216,10 @@ atm_if_print(netdissect_options *ndo, * packets? If so, could it be changed to use a * new DLT_IEEE802_6 value if we added it? */ + if (caplen < 20 || length < 20) { + ND_PRINT((ndo, "%s", tstr)); + return (caplen); + } if (ndo->ndo_eflag) ND_PRINT((ndo, "%08x%08x %08x%08x ", EXTRACT_32BITS(p), diff --git a/contrib/tcpdump/print-llc.c b/contrib/tcpdump/print-llc.c index 82da55b..78b8631 100644 --- a/contrib/tcpdump/print-llc.c +++ b/contrib/tcpdump/print-llc.c @@ -153,10 +153,10 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, *extracted_ethertype = 0; - if (caplen < 3) { + if (caplen < 3 || length < 3) { ND_PRINT((ndo, "[|llc]")); ND_DEFAULTPRINT((u_char *)p, caplen); - return(0); + return (1); } dsap_field = *p; @@ -179,10 +179,10 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, * The control field in I and S frames is * 2 bytes... */ - if (caplen < 4) { + if (caplen < 4 || length < 4) { ND_PRINT((ndo, "[|llc]")); ND_DEFAULTPRINT((u_char *)p, caplen); - return(0); + return (1); } /* @@ -242,6 +242,11 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && control == LLC_UI) { + if (caplen < 4 || length < 4) { + ND_PRINT((ndo, "[|llc]")); + ND_DEFAULTPRINT((u_char *)p, caplen); + return (1); + } ip_print(ndo, p+4, length-4); return (1); } @@ -370,6 +375,8 @@ snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, register int ret; ND_TCHECK2(*p, 5); + if (caplen < 5 || length < 5) + goto trunc; orgcode = EXTRACT_24BITS(p); et = EXTRACT_16BITS(p + 3); |
