diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2017-02-01 20:26:42 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2017-02-01 20:26:42 +0000 |
| commit | 3340d77368116708ab5b5b95acf6c9c710528300 (patch) | |
| tree | 811e83fd724dc565485db80039bf234ece065b10 /contrib/tcpdump/print-babel.c | |
| parent | 151139ad9e119116ae3692d0b8dd13baf691d55e (diff) | |
| parent | d79b843cb78484ea27f877f1541055e1a6a5a4d3 (diff) | |
| download | src-3340d77368116708ab5b5b95acf6c9c710528300.tar.gz src-3340d77368116708ab5b5b95acf6c9c710528300.zip | |
Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.
Security: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security: CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security: CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security: CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security: CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security: CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security: CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security: CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security: CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security: CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security: CVE-2017-5486
Notes
Notes:
svn path=/head/; revision=313048
Diffstat (limited to 'contrib/tcpdump/print-babel.c')
| -rw-r--r-- | contrib/tcpdump/print-babel.c | 187 |
1 files changed, 149 insertions, 38 deletions
diff --git a/contrib/tcpdump/print-babel.c b/contrib/tcpdump/print-babel.c index 75cb32cf19e9..f8741d7bfd19 100644 --- a/contrib/tcpdump/print-babel.c +++ b/contrib/tcpdump/print-babel.c @@ -26,17 +26,18 @@ * SUCH DAMAGE. */ -#define NETDISSECT_REWORKED +/* \summary: Babel Routing Protocol printer */ + #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include <tcpdump-stdinc.h> +#include <netdissect-stdinc.h> #include <stdio.h> #include <string.h> -#include "interface.h" +#include "netdissect.h" #include "addrtoname.h" #include "extract.h" @@ -53,7 +54,7 @@ babel_print(netdissect_options *ndo, ND_TCHECK2(*cp, 4); if(cp[0] != 42) { - ND_PRINT((ndo, " malformed header")); + ND_PRINT((ndo, " invalid header")); return; } else { ND_PRINT((ndo, " %d", cp[1])); @@ -89,6 +90,9 @@ babel_print(netdissect_options *ndo, #define MESSAGE_MH_REQUEST 10 #define MESSAGE_TSPC 11 #define MESSAGE_HMAC 12 +#define MESSAGE_UPDATE_SRC_SPECIFIC 13 +#define MESSAGE_REQUEST_SRC_SPECIFIC 14 +#define MESSAGE_MH_REQUEST_SRC_SPECIFIC 15 /* sub-TLVs */ #define MESSAGE_SUB_PAD1 0 @@ -123,11 +127,7 @@ format_prefix(netdissect_options *ndo, const u_char *prefix, unsigned char plen) if(plen >= 96 && memcmp(prefix, v4prefix, 12) == 0) snprintf(buf, 50, "%s/%u", ipaddr_string(ndo, prefix + 12), plen - 96); else -#ifdef INET6 snprintf(buf, 50, "%s/%u", ip6addr_string(ndo, prefix), plen); -#else - snprintf(buf, 50, "IPv6 addresses not supported"); -#endif buf[49] = '\0'; return buf; } @@ -138,11 +138,7 @@ format_address(netdissect_options *ndo, const u_char *prefix) if(memcmp(prefix, v4prefix, 12) == 0) return ipaddr_string(ndo, prefix + 12); else -#ifdef INET6 return ip6addr_string(ndo, prefix); -#else - return "IPv6 addresses not supported"; -#endif } static const char * @@ -284,10 +280,10 @@ subtlvs_print(netdissect_options *ndo, continue; } if(cp == ep) - goto corrupt; + goto invalid; sublen = *cp++; if(cp + sublen > ep) - goto corrupt; + goto invalid; switch(subtype) { case MESSAGE_SUB_PADN: @@ -305,19 +301,20 @@ subtlvs_print(netdissect_options *ndo, ND_PRINT((ndo, "%s%s", sep, tok2str(diversity_str, "%u", *cp++))); sep = "-"; } - if(tlv_type != MESSAGE_UPDATE) + if(tlv_type != MESSAGE_UPDATE && + tlv_type != MESSAGE_UPDATE_SRC_SPECIFIC) ND_PRINT((ndo, " (bogus)")); break; case MESSAGE_SUB_TIMESTAMP: ND_PRINT((ndo, " sub-timestamp")); if(tlv_type == MESSAGE_HELLO) { if(sublen < 4) - goto corrupt; + goto invalid; t1 = EXTRACT_32BITS(cp); ND_PRINT((ndo, " %s", format_timestamp(t1))); } else if(tlv_type == MESSAGE_IHU) { if(sublen < 8) - goto corrupt; + goto invalid; t1 = EXTRACT_32BITS(cp); ND_PRINT((ndo, " %s", format_timestamp(t1))); t2 = EXTRACT_32BITS(cp + 4); @@ -333,12 +330,12 @@ subtlvs_print(netdissect_options *ndo, } /* while */ return; - corrupt: - ND_PRINT((ndo, " (corrupt)")); + invalid: + ND_PRINT((ndo, "%s", istr)); } #define ICHECK(i, l) \ - if ((i) + (l) > bodylen || (i) + (l) > length) goto corrupt; + if ((i) + (l) > bodylen || (i) + (l) > length) goto invalid; static void babel_print_v2(netdissect_options *ndo, @@ -352,7 +349,7 @@ babel_print_v2(netdissect_options *ndo, ND_TCHECK2(*cp, 4); if (length < 4) - goto corrupt; + goto invalid; bodylen = EXTRACT_16BITS(cp + 2); ND_PRINT((ndo, " (%u)", bodylen)); @@ -393,7 +390,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " ack-req")); else { ND_PRINT((ndo, "\n\tAcknowledgment Request ")); - if(len < 6) goto corrupt; + if(len < 6) goto invalid; nonce = EXTRACT_16BITS(message + 4); interval = EXTRACT_16BITS(message + 6); ND_PRINT((ndo, "%04x %s", nonce, format_interval(interval))); @@ -407,7 +404,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " ack")); else { ND_PRINT((ndo, "\n\tAcknowledgment ")); - if(len < 2) goto corrupt; + if(len < 2) goto invalid; nonce = EXTRACT_16BITS(message + 2); ND_PRINT((ndo, "%04x", nonce)); } @@ -420,7 +417,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " hello")); else { ND_PRINT((ndo, "\n\tHello ")); - if(len < 6) goto corrupt; + if(len < 6) goto invalid; seqno = EXTRACT_16BITS(message + 4); interval = EXTRACT_16BITS(message + 6); ND_PRINT((ndo, "seqno %u interval %s", seqno, format_interval(interval))); @@ -439,7 +436,7 @@ babel_print_v2(netdissect_options *ndo, u_char address[16]; int rc; ND_PRINT((ndo, "\n\tIHU ")); - if(len < 6) goto corrupt; + if(len < 6) goto invalid; txcost = EXTRACT_16BITS(message + 4); interval = EXTRACT_16BITS(message + 6); rc = network_address(message[2], message + 8, len - 6, address); @@ -459,7 +456,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " router-id")); else { ND_PRINT((ndo, "\n\tRouter Id")); - if(len < 10) goto corrupt; + if(len < 10) goto invalid; ND_PRINT((ndo, " %s", format_id(message + 4))); } } @@ -472,9 +469,9 @@ babel_print_v2(netdissect_options *ndo, int rc; u_char nh[16]; ND_PRINT((ndo, "\n\tNext Hop")); - if(len < 2) goto corrupt; + if(len < 2) goto invalid; rc = network_address(message[2], message + 4, len - 2, nh); - if(rc < 0) goto corrupt; + if(rc < 0) goto invalid; ND_PRINT((ndo, " %s", format_address(ndo, nh))); } } @@ -496,13 +493,13 @@ babel_print_v2(netdissect_options *ndo, int rc; u_char prefix[16]; ND_PRINT((ndo, "\n\tUpdate")); - if(len < 10) goto corrupt; + if(len < 10) goto invalid; plen = message[4] + (message[2] == 1 ? 96 : 0); rc = network_prefix(message[2], message[4], message[5], message + 12, message[2] == 1 ? v4_prefix : v6_prefix, len - 10, prefix); - if(rc < 0) goto corrupt; + if(rc < 0) goto invalid; interval = EXTRACT_16BITS(message + 6); seqno = EXTRACT_16BITS(message + 8); metric = EXTRACT_16BITS(message + 10); @@ -532,11 +529,11 @@ babel_print_v2(netdissect_options *ndo, int rc; u_char prefix[16], plen; ND_PRINT((ndo, "\n\tRequest ")); - if(len < 2) goto corrupt; + if(len < 2) goto invalid; plen = message[3] + (message[2] == 1 ? 96 : 0); rc = network_prefix(message[2], message[3], 0, message + 4, NULL, len - 2, prefix); - if(rc < 0) goto corrupt; + if(rc < 0) goto invalid; ND_PRINT((ndo, "for %s", message[2] == 0 ? "any" : format_prefix(ndo, prefix, plen))); } @@ -551,11 +548,11 @@ babel_print_v2(netdissect_options *ndo, u_short seqno; u_char prefix[16], plen; ND_PRINT((ndo, "\n\tMH-Request ")); - if(len < 14) goto corrupt; + if(len < 14) goto invalid; seqno = EXTRACT_16BITS(message + 4); rc = network_prefix(message[2], message[3], 0, message + 16, NULL, len - 14, prefix); - if(rc < 0) goto corrupt; + if(rc < 0) goto invalid; plen = message[3] + (message[2] == 1 ? 96 : 0); ND_PRINT((ndo, "(%u hops) for %s seqno %u id %s", message[6], format_prefix(ndo, prefix, plen), @@ -568,7 +565,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " tspc")); else { ND_PRINT((ndo, "\n\tTS/PC ")); - if(len < 6) goto corrupt; + if(len < 6) goto invalid; ND_PRINT((ndo, "timestamp %u packetcounter %u", EXTRACT_32BITS (message + 4), EXTRACT_16BITS(message + 2))); } @@ -579,13 +576,127 @@ babel_print_v2(netdissect_options *ndo, else { unsigned j; ND_PRINT((ndo, "\n\tHMAC ")); - if(len < 18) goto corrupt; + if(len < 18) goto invalid; ND_PRINT((ndo, "key-id %u digest-%u ", EXTRACT_16BITS(message + 2), len - 2)); for (j = 0; j < len - 2; j++) ND_PRINT((ndo, "%02X", message[4 + j])); } } break; + + case MESSAGE_UPDATE_SRC_SPECIFIC : { + if(!ndo->ndo_vflag) { + ND_PRINT((ndo, " ss-update")); + } else { + u_char prefix[16], src_prefix[16]; + u_short interval, seqno, metric; + u_char ae, plen, src_plen, omitted; + int rc; + int parsed_len = 10; + ND_PRINT((ndo, "\n\tSS-Update")); + if(len < 10) goto invalid; + ae = message[2]; + src_plen = message[3]; + plen = message[4]; + omitted = message[5]; + interval = EXTRACT_16BITS(message + 6); + seqno = EXTRACT_16BITS(message + 8); + metric = EXTRACT_16BITS(message + 10); + rc = network_prefix(ae, plen, omitted, message + 2 + parsed_len, + ae == 1 ? v4_prefix : v6_prefix, + len - parsed_len, prefix); + if(rc < 0) goto invalid; + if(ae == 1) + plen += 96; + parsed_len += rc; + rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len, + NULL, len - parsed_len, src_prefix); + if(rc < 0) goto invalid; + if(ae == 1) + src_plen += 96; + parsed_len += rc; + + ND_PRINT((ndo, " %s from", format_prefix(ndo, prefix, plen))); + ND_PRINT((ndo, " %s metric %u seqno %u interval %s", + format_prefix(ndo, src_prefix, src_plen), + metric, seqno, format_interval_update(interval))); + /* extra data? */ + if((u_int)parsed_len < len) + subtlvs_print(ndo, message + 2 + parsed_len, + message + 2 + len, type); + } + } + break; + + case MESSAGE_REQUEST_SRC_SPECIFIC : { + if(!ndo->ndo_vflag) + ND_PRINT((ndo, " ss-request")); + else { + int rc, parsed_len = 3; + u_char ae, plen, src_plen, prefix[16], src_prefix[16]; + ND_PRINT((ndo, "\n\tSS-Request ")); + if(len < 3) goto invalid; + ae = message[2]; + plen = message[3]; + src_plen = message[4]; + rc = network_prefix(ae, plen, 0, message + 2 + parsed_len, + NULL, len - parsed_len, prefix); + if(rc < 0) goto invalid; + if(ae == 1) + plen += 96; + parsed_len += rc; + rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len, + NULL, len - parsed_len, src_prefix); + if(rc < 0) goto invalid; + if(ae == 1) + src_plen += 96; + parsed_len += rc; + if(ae == 0) { + ND_PRINT((ndo, "for any")); + } else { + ND_PRINT((ndo, "for (%s, ", format_prefix(ndo, prefix, plen))); + ND_PRINT((ndo, "%s)", format_prefix(ndo, src_prefix, src_plen))); + } + } + } + break; + + case MESSAGE_MH_REQUEST_SRC_SPECIFIC : { + if(!ndo->ndo_vflag) + ND_PRINT((ndo, " ss-mh-request")); + else { + int rc, parsed_len = 14; + u_short seqno; + u_char ae, plen, src_plen, prefix[16], src_prefix[16], hopc; + const u_char *router_id = NULL; + ND_PRINT((ndo, "\n\tSS-MH-Request ")); + if(len < 14) goto invalid; + ae = message[2]; + plen = message[3]; + seqno = EXTRACT_16BITS(message + 4); + hopc = message[6]; + src_plen = message[7]; + router_id = message + 8; + rc = network_prefix(ae, plen, 0, message + 2 + parsed_len, + NULL, len - parsed_len, prefix); + if(rc < 0) goto invalid; + if(ae == 1) + plen += 96; + parsed_len += rc; + rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len, + NULL, len - parsed_len, src_prefix); + if(rc < 0) goto invalid; + if(ae == 1) + src_plen += 96; + ND_PRINT((ndo, "(%u hops) for (%s, ", + hopc, format_prefix(ndo, prefix, plen))); + ND_PRINT((ndo, "%s) seqno %u id %s", + format_prefix(ndo, src_prefix, src_plen), + seqno, format_id(router_id))); + } + } + break; + default: if (!ndo->ndo_vflag) ND_PRINT((ndo, " unknown")); @@ -600,7 +711,7 @@ babel_print_v2(netdissect_options *ndo, ND_PRINT((ndo, " %s", tstr)); return; - corrupt: - ND_PRINT((ndo, " (corrupt)")); + invalid: + ND_PRINT((ndo, "%s", istr)); return; } |