]> The Tcpdump Group git mirrors - tcpdump/blob - print-mobility.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
More bounds checking when fetching addresses and converting to strings.
[tcpdump] / print-mobility.c
1 /*
2 * Copyright (C) 2002 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 /* \summary: IPv6 mobility printer */
31 /* RFC 3775 */
32
33 #ifdef HAVE_CONFIG_H
34 #include <config.h>
35 #endif
36
37 #include "netdissect-stdinc.h"
38
39 #include "netdissect.h"
40 #include "addrtoname.h"
41 #include "extract.h"
42
43 #include "ip6.h"
44
45
46 /* Mobility header */
47 struct ip6_mobility {
48 nd_uint8_t ip6m_pproto; /* following payload protocol (for PG) */
49 nd_uint8_t ip6m_len; /* length in units of 8 octets */
50 nd_uint8_t ip6m_type; /* message type */
51 nd_uint8_t reserved; /* reserved */
52 nd_uint16_t ip6m_cksum; /* sum of IPv6 pseudo-header and MH */
53 union {
54 nd_uint16_t ip6m_un_data16[1]; /* type-specific field */
55 nd_uint8_t ip6m_un_data8[2]; /* type-specific field */
56 } ip6m_dataun;
57 };
58
59 #define ip6m_data16 ip6m_dataun.ip6m_un_data16
60 #define ip6m_data8 ip6m_dataun.ip6m_un_data8
61
62 #define IP6M_MINLEN 8
63
64 /* https://www.iana.org/assignments/mobility-parameters/mobility-parameters.xhtml */
65
66 /* message type */
67 #define IP6M_BINDING_REQUEST 0 /* Binding Refresh Request */
68 #define IP6M_HOME_TEST_INIT 1 /* Home Test Init */
69 #define IP6M_CAREOF_TEST_INIT 2 /* Care-of Test Init */
70 #define IP6M_HOME_TEST 3 /* Home Test */
71 #define IP6M_CAREOF_TEST 4 /* Care-of Test */
72 #define IP6M_BINDING_UPDATE 5 /* Binding Update */
73 #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
74 #define IP6M_BINDING_ERROR 7 /* Binding Error */
75 #define IP6M_MAX 7
76
77 static const struct tok ip6m_str[] = {
78 { IP6M_BINDING_REQUEST, "BRR" },
79 { IP6M_HOME_TEST_INIT, "HoTI" },
80 { IP6M_CAREOF_TEST_INIT, "CoTI" },
81 { IP6M_HOME_TEST, "HoT" },
82 { IP6M_CAREOF_TEST, "CoT" },
83 { IP6M_BINDING_UPDATE, "BU" },
84 { IP6M_BINDING_ACK, "BA" },
85 { IP6M_BINDING_ERROR, "BE" },
86 { 0, NULL }
87 };
88
89 static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
90 IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
91 IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
92 IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
93 IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
94 IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
95 IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
96 IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
97 IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
98 };
99
100 /* Mobility Header Options */
101 #define IP6MOPT_MINLEN 2
102 #define IP6MOPT_PAD1 0x0 /* Pad1 */
103 #define IP6MOPT_PADN 0x1 /* PadN */
104 #define IP6MOPT_REFRESH 0x2 /* Binding Refresh Advice */
105 #define IP6MOPT_REFRESH_MINLEN 4
106 #define IP6MOPT_ALTCOA 0x3 /* Alternate Care-of Address */
107 #define IP6MOPT_ALTCOA_MINLEN 18
108 #define IP6MOPT_NONCEID 0x4 /* Nonce Indices */
109 #define IP6MOPT_NONCEID_MINLEN 6
110 #define IP6MOPT_AUTH 0x5 /* Binding Authorization Data */
111 #define IP6MOPT_AUTH_MINLEN 12
112
113 static int
114 mobility_opt_print(netdissect_options *ndo,
115 const u_char *bp, const unsigned len)
116 {
117 unsigned i, optlen;
118
119 for (i = 0; i < len; i += optlen) {
120 ND_TCHECK_1(bp + i);
121 if (GET_U_1(bp + i) == IP6MOPT_PAD1)
122 optlen = 1;
123 else {
124 if (i + 1 < len) {
125 ND_TCHECK_1(bp + i + 1);
126 optlen = GET_U_1(bp + i + 1) + 2;
127 }
128 else
129 goto trunc;
130 }
131 if (i + optlen > len)
132 goto trunc;
133 ND_TCHECK_1(bp + i + optlen);
134
135 switch (GET_U_1(bp + i)) {
136 case IP6MOPT_PAD1:
137 ND_PRINT("(pad1)");
138 break;
139 case IP6MOPT_PADN:
140 if (len - i < IP6MOPT_MINLEN) {
141 ND_PRINT("(padn: trunc)");
142 goto trunc;
143 }
144 ND_PRINT("(padn)");
145 break;
146 case IP6MOPT_REFRESH:
147 if (len - i < IP6MOPT_REFRESH_MINLEN) {
148 ND_PRINT("(refresh: trunc)");
149 goto trunc;
150 }
151 /* units of 4 secs */
152 ND_TCHECK_2(bp + i + 2);
153 ND_PRINT("(refresh: %u)",
154 GET_BE_U_2(bp + i + 2) << 2);
155 break;
156 case IP6MOPT_ALTCOA:
157 if (len - i < IP6MOPT_ALTCOA_MINLEN) {
158 ND_PRINT("(altcoa: trunc)");
159 goto trunc;
160 }
161 ND_TCHECK_16(bp + i + 2);
162 ND_PRINT("(alt-CoA: %s)", GET_IP6ADDR_STRING(bp + i + 2));
163 break;
164 case IP6MOPT_NONCEID:
165 if (len - i < IP6MOPT_NONCEID_MINLEN) {
166 ND_PRINT("(ni: trunc)");
167 goto trunc;
168 }
169 ND_TCHECK_2(bp + i + 2);
170 ND_TCHECK_2(bp + i + 4);
171 ND_PRINT("(ni: ho=0x%04x co=0x%04x)",
172 GET_BE_U_2(bp + i + 2),
173 GET_BE_U_2(bp + i + 4));
174 break;
175 case IP6MOPT_AUTH:
176 if (len - i < IP6MOPT_AUTH_MINLEN) {
177 ND_PRINT("(auth: trunc)");
178 goto trunc;
179 }
180 ND_PRINT("(auth)");
181 break;
182 default:
183 if (len - i < IP6MOPT_MINLEN) {
184 ND_PRINT("(sopt_type %u: trunc)",
185 GET_U_1(bp + i));
186 goto trunc;
187 }
188 ND_PRINT("(type-0x%02x: len=%u)", GET_U_1(bp + i),
189 GET_U_1(bp + i + 1));
190 break;
191 }
192 }
193 return 0;
194
195 trunc:
196 return 1;
197 }
198
199 /*
200 * Mobility Header
201 */
202 int
203 mobility_print(netdissect_options *ndo,
204 const u_char *bp, const u_char *bp2 _U_)
205 {
206 const struct ip6_mobility *mh;
207 const u_char *ep;
208 unsigned mhlen, hlen;
209 uint8_t type;
210
211 ndo->ndo_protocol = "mobility";
212 mh = (const struct ip6_mobility *)bp;
213
214 /* 'ep' points to the end of available data. */
215 ep = ndo->ndo_snapend;
216
217 if (!ND_TTEST_1(mh->ip6m_len)) {
218 /*
219 * There's not enough captured data to include the
220 * mobility header length.
221 *
222 * Our caller expects us to return the length, however,
223 * so return a value that will run to the end of the
224 * captured data.
225 *
226 * XXX - "ip6_print()" doesn't do anything with the
227 * returned length, however, as it breaks out of the
228 * header-processing loop.
229 */
230 mhlen = (unsigned)(ep - bp);
231 goto trunc;
232 }
233 mhlen = (GET_U_1(mh->ip6m_len) + 1) << 3;
234
235 /* XXX ip6m_cksum */
236
237 ND_TCHECK_1(mh->ip6m_type);
238 type = GET_U_1(mh->ip6m_type);
239 if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
240 ND_PRINT("(header length %u is too small for type %u)", mhlen, type);
241 goto trunc;
242 }
243 ND_PRINT("mobility: %s", tok2str(ip6m_str, "type-#%u", type));
244 switch (type) {
245 case IP6M_BINDING_REQUEST:
246 hlen = IP6M_MINLEN;
247 break;
248 case IP6M_HOME_TEST_INIT:
249 case IP6M_CAREOF_TEST_INIT:
250 hlen = IP6M_MINLEN;
251 if (ndo->ndo_vflag) {
252 ND_TCHECK_4(bp + hlen + 4);
253 ND_PRINT(" %s Init Cookie=%08x:%08x",
254 type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
255 GET_BE_U_4(bp + hlen),
256 GET_BE_U_4(bp + hlen + 4));
257 }
258 hlen += 8;
259 break;
260 case IP6M_HOME_TEST:
261 case IP6M_CAREOF_TEST:
262 ND_TCHECK_2(mh->ip6m_data16[0]);
263 ND_PRINT(" nonce id=0x%x", GET_BE_U_2(mh->ip6m_data16[0]));
264 hlen = IP6M_MINLEN;
265 if (ndo->ndo_vflag) {
266 ND_TCHECK_4(bp + hlen + 4);
267 ND_PRINT(" %s Init Cookie=%08x:%08x",
268 type == IP6M_HOME_TEST ? "Home" : "Care-of",
269 GET_BE_U_4(bp + hlen),
270 GET_BE_U_4(bp + hlen + 4));
271 }
272 hlen += 8;
273 if (ndo->ndo_vflag) {
274 ND_TCHECK_4(bp + hlen + 4);
275 ND_PRINT(" %s Keygen Token=%08x:%08x",
276 type == IP6M_HOME_TEST ? "Home" : "Care-of",
277 GET_BE_U_4(bp + hlen),
278 GET_BE_U_4(bp + hlen + 4));
279 }
280 hlen += 8;
281 break;
282 case IP6M_BINDING_UPDATE:
283 ND_TCHECK_2(mh->ip6m_data16[0]);
284 ND_PRINT(" seq#=%u", GET_BE_U_2(mh->ip6m_data16[0]));
285 hlen = IP6M_MINLEN;
286 ND_TCHECK_2(bp + hlen);
287 if (GET_U_1(bp + hlen) & 0xf0) {
288 ND_PRINT(" ");
289 if (GET_U_1(bp + hlen) & 0x80)
290 ND_PRINT("A");
291 if (GET_U_1(bp + hlen) & 0x40)
292 ND_PRINT("H");
293 if (GET_U_1(bp + hlen) & 0x20)
294 ND_PRINT("L");
295 if (GET_U_1(bp + hlen) & 0x10)
296 ND_PRINT("K");
297 }
298 /* Reserved (4bits) */
299 hlen += 1;
300 /* Reserved (8bits) */
301 hlen += 1;
302 ND_TCHECK_2(bp + hlen);
303 /* units of 4 secs */
304 ND_PRINT(" lifetime=%u", GET_BE_U_2(bp + hlen) << 2);
305 hlen += 2;
306 break;
307 case IP6M_BINDING_ACK:
308 ND_TCHECK_1(mh->ip6m_data8[0]);
309 ND_PRINT(" status=%u", GET_U_1(mh->ip6m_data8[0]));
310 ND_TCHECK_1(mh->ip6m_data8[1]);
311 if (GET_U_1(mh->ip6m_data8[1]) & 0x80)
312 ND_PRINT(" K");
313 /* Reserved (7bits) */
314 hlen = IP6M_MINLEN;
315 ND_TCHECK_2(bp + hlen);
316 ND_PRINT(" seq#=%u", GET_BE_U_2(bp + hlen));
317 hlen += 2;
318 ND_TCHECK_2(bp + hlen);
319 /* units of 4 secs */
320 ND_PRINT(" lifetime=%u", GET_BE_U_2(bp + hlen) << 2);
321 hlen += 2;
322 break;
323 case IP6M_BINDING_ERROR:
324 ND_TCHECK_1(mh->ip6m_data8[0]);
325 ND_PRINT(" status=%u", GET_U_1(mh->ip6m_data8[0]));
326 /* Reserved */
327 hlen = IP6M_MINLEN;
328 ND_TCHECK_16(bp + hlen);
329 ND_PRINT(" homeaddr %s", GET_IP6ADDR_STRING(bp + hlen));
330 hlen += 16;
331 break;
332 default:
333 ND_PRINT(" len=%u", GET_U_1(mh->ip6m_len));
334 return(mhlen);
335 break;
336 }
337 if (ndo->ndo_vflag)
338 if (mobility_opt_print(ndo, bp + hlen, mhlen - hlen))
339 goto trunc;
340
341 return(mhlen);
342
343 trunc:
344 nd_print_trunc(ndo);
345 return(-1);
346 }
[mirror] the TCPdump network dissector