summaryrefslogtreecommitdiffstats
path: root/contrib/tcpdump
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'origin/stable/11' into devel-11Luiz Souza2018-01-10107-1684/+3522
|\
| * MFC r326613: Update tcpdump to 4.9.2emaste2017-12-27107-1683/+3521
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It contains many fixes, including bounds checking, buffer overflows (in SLIP and bittok2str_internal), buffer over-reads, and infinite loops. One other notable change: Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Relnotes: Yes Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542 Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894 Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897 Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900 Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985 Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988 Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991 Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994 Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997 Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000 Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003 Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006 Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009 Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012 Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015 Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018 Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021 Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024 Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027 Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030 Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033 Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036 Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039 Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042 Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045 Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048 Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051 Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054 Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688 Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
| * MFC r317409 by glebius:emaste2017-12-271-1/+1
| | | | | | | | | | Cherry-pick 5d3c5151c2b885aab36627bafb8539238da27b2d, it fixes use after free if tcpdump(1) is run on non-existent interface.
* | Fix a few bugs in the commit 01a697b38d55406857d04f6b92d9aaf15e492384Luiz Souza2017-07-123-5/+4
| | | | | | | | Importing pfSense patch tcpdump.pfsync.diff
* | Importing pfSense patch tcpdump.pfsync.diffRenato Botelho2017-02-233-6/+9
|/
* Merge r309649, r313048, r313083, r313104:glebius2017-02-10233-9161/+14536
| | | | tcpdump 4.9.0
* MFC r311570:dim2017-01-111-2/+2
| | | | | | | | | In tcpdump's print-tcp.c, avoid increasing alignment when taking the addresses of members of struct ip, which is packed. Since the pointers are only used for memcmp'ing, they can be pointing to void instead. Note that upstream has removed the src and dst variables, in the mean time.
* The code responsible for opening and rotating pcap files is independentoshogbo2016-06-081-16/+16
| | | | | | | | of Capser and should use openat(2) unconditionally on FreeBSD. openat(2) is mandatory when sandboxed with Capsicum, but still works in the absence of Capsicum. Reviewed by: AllanJude
* Fix spelling of the casper introduced in the r296047.oshogbo2016-06-084-33/+33
| | | | | PR: 210031 Reported by: AllanJude, jmallett
* Convert casperd(8) daemon to the libcasper.oshogbo2016-02-255-43/+40
| | | | | | | | | | | | | | | | | | | | After calling the cap_init(3) function Casper will fork from it's original process, using pdfork(2). Forking from a process has a lot of advantages: 1. We have the same cwd as the original process. 2. The same uid, gid and groups. 3. The same MAC labels. 4. The same descriptor table. 5. The same routing table. 6. The same umask. 7. The same cpuset(1). From now services are also in form of libraries. We also removed libcapsicum at all and converts existing program using Casper to new architecture. Discussed with: pjd, jonathan, ed, drysdale@google.com, emaste Partially reviewed by: drysdale@google.com, bdrewery Approved by: pjd (mentor) Differential Revision: https://reviews.freebsd.org/D4277
* MFV r285292:pkelsey2015-07-081-1/+4
| | | | | | | | | | | | | | | | | | Merge upstream fix to eliminate build-breaking gcc warnings of no importance. commit: cab33b7a0acba7d2268a23c4383be6167106e549 Update ND_TTEST2 to fix issue 443 Add IS_NOT_NEGATIVE macro. Avoid these warnings: - comparison of unsigned expression >= 0 is always true [-Wtype-limits], - comparison is always true due to limited range of data type [-Wtype-limits]. Reviewed by: adrian Approved by: jmallett (mentor) MFC after: 1 month
* MFV r285191: tcpdump 4.7.4.pkelsey2015-07-0895-2063/+4416
|\ | | | | | | | | | | | | | | | | | | | | Also, the changes made in r272451 and r272653 that were lost in the merge of 4.6.2 (r276788) have been restored. PR: 199568 Differential Revision: https://reviews.freebsd.org/D3007 Reviewed by: brooks, hiren Approved by: jmallett (mentor) MFC after: 1 month
* | Let the nv.h and dnv.h includes be only in sys directory.oshogbo2015-07-021-1/+1
| | | | | | | | | | | | | | Change consumers to include those files from sys. Add duplicated files to ObsoleteFiles. Approved by: pjd (mentor)
* | Remove "capability mode sandbox enabled" messages.brooks2015-05-041-2/+0
| | | | | | | | | | | | | | | | | | | | | | These messages serve little purpose and break some consumers. PR: 199855 Differential Revision: https://reviews.freebsd.org/D2440 Reviewed by: rwatson Approved by: pjd MFC after: 1 week Sponsored by: DARPA, AFRL
* | Merge from CheriBSD: 1065cf515a7c2062598009c1318055aacbb39e80brooks2015-04-244-105/+111
| | | | | | | | | | | | | | | | Convert the pfsync dissector to use the netdissect framework. Differential Revision: https://reviews.freebsd.org/D2359 Reviewed by: glebius Sponsored by: DARPA, AFRL
* | MFV r277981:pfg2015-01-312-5/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upstream fixes for issues found with afl (Issue #417). - Fix length checking. Check both the captured length and the on-the-wire length (the latter *should* be greater than or equal to the former, but that's not guaranteed). Add some additional length checks, so neither caplen nor length underflow. If we stop dissecting because the packet is too short, return 1, not 0, as we've "dissected" what we can; 0 means "this is LLC+SNAP with an OUI of 0 and an unknown Ethertype". commit: 743bcecdc92f88b118ec7aac4f68b606601205cc - Clean up length checks. Check only the amount of length that matters at any given point; yes, this means we do multiple checks, but so it goes. We don't need to check for LLC+SNAP - llc_print() does that for us. We do, however, need to check to make sure we can safely skip the Fore header. commit: 5c65e7532fa16308e01299988852b0dc5b027559
* | MFV r277782:pfg2015-01-272-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge some cherry-picked fixes originating in OpenBSD Check whether the version field is available before looking at it. While we're at it, use ND_TCHECK(), rather than a hand-rolled check, to check whether we have the full fixed-length portion of the IPv4 header. commit c67afe913011138a2504ec4d3d423b48e73b12f3 Do more length checking. From OpenBSD. commit d7516761f9c4877bcb05bb6543be3543e165249
* | Don't include libcapsicum headers when requested.delphij2015-01-241-3/+3
| | | | | | | | | | | | Reported by: luigi MFC after: 14 days X-MFC-with: r276788
* | MFV r276761: tcpdump 4.6.2.delphij2015-01-07273-25301/+30584
|\ \ | |/ | | | | MFC after: 1 month
* | Fix comment and sort rights by nameluigi2014-10-061-4/+4
| | | | | | | | MFC after: 3 days
* | add CAP_EVENT for the libpcap device so we will be able to useluigi2014-10-021-1/+6
| | | | | | | | | | | | pcap--netmap which does poll() on the file descriptor MFC after: 2 weeks
* | Update most userspace consumers of capability.h to use capsicum.h instead.rwatson2014-03-161-1/+1
| | | | | | | | | | | | | | auditdistd is not updated as I will make the change upstream and then do a vendor import sometime in the next week or two. MFC after: 3 weeks
* | Fix build with WITHOUT_CAPSICUM.gjb2013-12-211-0/+2
| | | | | | | | | | Submitted by: dt71 gmx com Sponsored by: The FreeBSD Foundation
* | If we cannot connect to casperd we don't enter sandbox, but if we can connectpjd2013-12-191-14/+6
| | | | | | | | | | | | | | | | to casperd, but we cannot access the service we need we exit with an error. This should not happen and just indicates some configuration error which should be fixed, so we force the user to do it by failing. Discussed with: emaste
* | Make use of casperd's system.dns service when running without the -n option.pjd2013-12-152-3/+82
| | | | | | | | | | | | Now tcpdump(8) is sandboxed even if DNS resolution is required. Sponsored by: The FreeBSD Foundation
* | MFV: removes strict-aliasing warnings from GCC in tcpdump.pfg2013-11-251-14/+39
| | | | | | | | | | | | Reported by: tinderbox (gjb) Submitted by: glebius MFC after: 2 weeks
* | Make userland tools honor WITHOUT_PF build option.glebius2013-10-291-0/+2
| | | | | | | | Tested by: dt71@gmx.com
* | Change the cap_rights_t type from uint64_t to a structure that we can extendpjd2013-09-051-13/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | in the future in a backward compatible (API and ABI) way. The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough. The structure definition looks like this: struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; }; The initial CAP_RIGHTS_VERSION is 0. The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements. The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future. To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg. #define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL) We still support aliases that combine few rights, but the rights have to belong to the same array element, eg: #define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL) #define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP) There is new API to manage the new cap_rights_t structure: cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...); bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little); Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg: cap_rights_t rights; cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT); There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg: #define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...); Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1: cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL); Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition. This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x. Sponsored by: The FreeBSD Foundation
* | When using tcpdump -I -i wlanN and wlanN is not a monitor mode VAP,rpaulo2013-07-311-0/+23
| | | | | | | | | | | | tcpdump will print an error message saying rfmon is not supported. Give a concise explanation as to how one might solve this problem by creating a monitor mode VAP.
* | Sandbox tcpdump(8) using Capsicum's capability mode and capabilities.pjd2013-07-071-1/+124
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For now, sandboxing is done only if -n option was specified and neither -z nor -V options were given. Because it is very common to run tcpdump(8) with the -n option for speed, I decided to commit sandboxing now. To also support sandboxing when -n option wasn't specified, we need Casper daemon and its services that are not available in FreeBSD yet. - Limit file descriptors of a file specified by -r option or files specified via -V option to CAP_READ only. - If neither -r nor -V options were specified, we operate on /dev/bpf. Limit its descriptor to CAP_READ and CAP_IOCTL plus limit allowed ioctls to BIOCGSTATS only. - Limit file descriptor of a file specified by -w option to CAP_SEEK and CAP_WRITE. - If either -C or -G options were specified, we open directory containing destination file and we limit directory descriptor to CAP_CREATE, CAP_FCNTL, CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK and CAP_WRITE. Newly opened/created files are limited to CAP_SEEK and CAP_WRITE only. - Enter capability mode if -n option was specified and neither -z nor -V options were specified. Approved by: delphij, wxs Sponsored by: The FreeBSD Foundation
* | MFV: Redo the fixup using the submitted version accepted by upstream.delphij2013-05-311-3/+1
| |
* | Diff reduction against tcpdump revision ↵delphij2013-05-301-2/+1
| | | | | | | | 949a22064d3534eddeb8aa2b9c36a50e45fe16fa.
* | MFV: tcpdump 4.4.0.delphij2013-05-3039-7877/+4631
|\ \ | |/ | | | | MFC after: 4 weeks
* | Clean some 'svn:executable' properties in the tree.pfg2013-01-267-0/+0
| | | | | | | | | | Submitted by: Christoph Mallon MFC after: 3 days
* | Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS ineadler2012-12-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | share/mk/sys.mk instead. This is part of a medium term project to permit deterministic builds of FreeBSD. Submitted by: Erik Cederstrand <erik@cederstrand.dk> Reviewed by: imp, toolchain@ Approved by: cperciva MFC after: 2 weeks
* | MFV: tcpdump 4.3.0.delphij2012-10-0528-355/+1079
|\ \ | |/ | | | | MFC after: 4 weeks
* | Provide ability for printing and decoding pfsync(4) traffic. Thisglebius2012-10-054-0/+457
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | doesn't mean supporting IFT_PFSYNC (which I hope will eventually die). This means decoding packets with IP protocol of 240 caught on any normal interface like Ethernet. The code is based on couple of files from OpenBSD, significantly modified by myself. Parser differentiates for four levels of verbosity: no -v, -v, -vv and -vvv. We don't yet forward this code upstream, because currently it strongly relies on if_pfsync.h and even on pfvar.h. I hope that this can be fixed in future. Reviewed by: gnn, delphij
* | Merge tcpdump 4.2.1.delphij2012-05-17164-34297/+5055
|\ \ | |/ | | | | MFC after: 2 weeks
* | Fix incorrect uses of sizeof().kevlo2011-12-286-8/+8
| | | | | | | | | | The details of the fix can be found in the tcpdump git repository: commit 684955d58611ee94eccdc34e82b32e676337188c
* | In contrib/tcpdump/print-icmp6.c, fix a problem where the comparisondim2011-12-191-8/+7
| | | | | | | | | | | | | | | | against icmp6_hdr::icmp6_type is done incorrectly. (This fix has already been applied upstream, but we do not have the latest version of tcpdump.) MFC after: 1 week
* | Remove useless stuff.rpaulo2010-10-2815-2008/+0
| |
* | Merge tcpdump-4.1.1.rpaulo2010-10-28201-3086/+38522
|\ \ | |/
* | Add parsing code for TCP UTO (User Timeout Option).rpaulo2009-10-072-0/+14
| | | | | | | | | | Submitted by: fangwang@ Obtained from: //depot/projects/soc2009/tcputo/
* | correct IEEE80211_RADIOTAP_XCHANNEL to match systemsam2009-07-151-1/+1
| | | | | | | | | | Submitted by: Guy Harris Approved by: re (kib)
* | Updates, mostly to add 802.11s support:sam2009-07-142-38/+273
| | | | | | | | | | | | | | | | | | | | o add missing Status and Reason codes o parse/display Action frames o parse/display Mesh data frames o parse/display BA frames Reviewed by: rpaulo Approved by: re (kib)
* | Fix WITHOUT_IPV6=yes build.rpaulo2009-03-211-0/+2
| | | | | | | | Reported by: Andrzej Tobola ato at iem.pw.edu.pl
* | Merge tcpdump 4.0.0 from the vendor branch.rpaulo2009-03-21293-8578/+11822
|\ \ | |/
| * Flatten vendor/tcpdump and remove keyword expansion.rpaulo2009-03-20316-106740/+0
| |
* | Fix a path.rpaulo2009-03-211-1/+1
| |
* | Exclude list for tcpdump imports.rpaulo2009-03-211-0/+3
| |
OpenPOWER on IntegriCloud