]> The Tcpdump Group git mirrors - tcpdump/blob - print-ip6.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
IPv6: Report some invalid packets as invalid, not truncated
[tcpdump] / print-ip6.c
1 /*
2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 /* \summary: IPv6 printer */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include "netdissect-stdinc.h"
29
30 #include <string.h>
31
32 #include "netdissect.h"
33 #include "addrtoname.h"
34 #include "extract.h"
35
36 #include "ip6.h"
37 #include "ipproto.h"
38
39 /*
40 * If routing headers are presend and valid, set dst to the final destination.
41 * Otherwise, set it to the IPv6 destination.
42 *
43 * This is used for UDP and TCP pseudo-header in the checksum
44 * calculation.
45 */
46 static void
47 ip6_finddst(netdissect_options *ndo, nd_ipv6 *dst,
48 const struct ip6_hdr *ip6)
49 {
50 const u_char *cp;
51 u_int advance;
52 u_int nh;
53 const void *dst_addr;
54 const struct ip6_rthdr *dp;
55 const struct ip6_rthdr0 *dp0;
56 const struct ip6_srh *srh;
57 const u_char *p;
58 int i, len;
59
60 cp = (const u_char *)ip6;
61 advance = sizeof(struct ip6_hdr);
62 nh = GET_U_1(ip6->ip6_nxt);
63 dst_addr = (const void *)ip6->ip6_dst;
64
65 while (cp < ndo->ndo_snapend) {
66 cp += advance;
67
68 switch (nh) {
69
70 case IPPROTO_HOPOPTS:
71 case IPPROTO_DSTOPTS:
72 case IPPROTO_MOBILITY_OLD:
73 case IPPROTO_MOBILITY:
74 /*
75 * These have a header length byte, following
76 * the next header byte, giving the length of
77 * the header, in units of 8 octets, excluding
78 * the first 8 octets.
79 */
80 advance = (GET_U_1(cp + 1) + 1) << 3;
81 nh = GET_U_1(cp);
82 break;
83
84 case IPPROTO_FRAGMENT:
85 /*
86 * The byte following the next header byte is
87 * marked as reserved, and the header is always
88 * the same size.
89 */
90 advance = sizeof(struct ip6_frag);
91 nh = GET_U_1(cp);
92 break;
93
94 case IPPROTO_ROUTING:
95 /*
96 * OK, we found it.
97 */
98 dp = (const struct ip6_rthdr *)cp;
99 ND_TCHECK_SIZE(dp);
100 len = GET_U_1(dp->ip6r_len);
101 switch (GET_U_1(dp->ip6r_type)) {
102
103 case IPV6_RTHDR_TYPE_0:
104 case IPV6_RTHDR_TYPE_2: /* Mobile IPv6 ID-20 */
105 dp0 = (const struct ip6_rthdr0 *)dp;
106 if (len % 2 == 1)
107 goto trunc;
108 len >>= 1;
109 p = (const u_char *) dp0->ip6r0_addr;
110 for (i = 0; i < len; i++) {
111 ND_TCHECK_16(p);
112 dst_addr = (const void *)p;
113 p += 16;
114 }
115 break;
116 case IPV6_RTHDR_TYPE_4:
117 /* IPv6 Segment Routing Header (SRH) */
118 srh = (const struct ip6_srh *)dp;
119 if (len % 2 == 1)
120 goto trunc;
121 p = (const u_char *) srh->srh_segments;
122 /*
123 * The list of segments are encoded in the reverse order.
124 * Accordingly, the final DA is encoded in srh_segments[0]
125 */
126 ND_TCHECK_16(p);
127 dst_addr = (const void *)p;
128 break;
129
130 default:
131 break;
132 }
133
134 /*
135 * Only one routing header to a customer.
136 */
137 goto done;
138
139 case IPPROTO_AH:
140 case IPPROTO_ESP:
141 case IPPROTO_IPCOMP:
142 default:
143 /*
144 * AH and ESP are, in the RFCs that describe them,
145 * described as being "viewed as an end-to-end
146 * payload" "in the IPv6 context, so that they
147 * "should appear after hop-by-hop, routing, and
148 * fragmentation extension headers". We assume
149 * that's the case, and stop as soon as we see
150 * one. (We can't handle an ESP header in
151 * the general case anyway, as its length depends
152 * on the encryption algorithm.)
153 *
154 * IPComp is also "viewed as an end-to-end
155 * payload" "in the IPv6 context".
156 *
157 * All other protocols are assumed to be the final
158 * protocol.
159 */
160 goto done;
161 }
162 }
163
164 done:
165 trunc:
166 GET_CPY_BYTES(dst, dst_addr, sizeof(nd_ipv6));
167 }
168
169 /*
170 * Compute a V6-style checksum by building a pseudoheader.
171 */
172 uint16_t
173 nextproto6_cksum(netdissect_options *ndo,
174 const struct ip6_hdr *ip6, const uint8_t *data,
175 u_int len, u_int covlen, uint8_t next_proto)
176 {
177 struct {
178 nd_ipv6 ph_src;
179 nd_ipv6 ph_dst;
180 uint32_t ph_len;
181 uint8_t ph_zero[3];
182 uint8_t ph_nxt;
183 } ph;
184 struct cksum_vec vec[2];
185 u_int nh;
186
187 /* pseudo-header */
188 memset(&ph, 0, sizeof(ph));
189 GET_CPY_BYTES(&ph.ph_src, ip6->ip6_src, sizeof(nd_ipv6));
190 nh = GET_U_1(ip6->ip6_nxt);
191 switch (nh) {
192
193 case IPPROTO_HOPOPTS:
194 case IPPROTO_DSTOPTS:
195 case IPPROTO_MOBILITY_OLD:
196 case IPPROTO_MOBILITY:
197 case IPPROTO_FRAGMENT:
198 case IPPROTO_ROUTING:
199 /*
200 * The next header is either a routing header or a header
201 * after which there might be a routing header, so scan
202 * for a routing header.
203 */
204 ip6_finddst(ndo, &ph.ph_dst, ip6);
205 break;
206
207 default:
208 GET_CPY_BYTES(&ph.ph_dst, ip6->ip6_dst, sizeof(nd_ipv6));
209 break;
210 }
211 ph.ph_len = htonl(len);
212 ph.ph_nxt = next_proto;
213
214 vec[0].ptr = (const uint8_t *)(void *)&ph;
215 vec[0].len = sizeof(ph);
216 vec[1].ptr = data;
217 vec[1].len = covlen;
218
219 return in_cksum(vec, 2);
220 }
221
222 /*
223 * print an IP6 datagram.
224 */
225 void
226 ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
227 {
228 const struct ip6_hdr *ip6;
229 int advance;
230 u_int len;
231 u_int total_advance;
232 const u_char *cp;
233 uint32_t payload_len;
234 uint8_t ph, nh;
235 int fragmented = 0;
236 u_int flow;
237 int found_extension_header;
238 int found_jumbo;
239 int found_hbh;
240
241 ndo->ndo_protocol = "ip6";
242 ip6 = (const struct ip6_hdr *)bp;
243
244 if (!ndo->ndo_eflag) {
245 nd_print_protocol_caps(ndo);
246 ND_PRINT(" ");
247 }
248
249 ND_ICHECK_ZU(length, <, sizeof (struct ip6_hdr));
250 if (IP6_VERSION(ip6) != 6) {
251 ND_PRINT("version error: %u != 6", IP6_VERSION(ip6));
252 return;
253 }
254
255 ND_TCHECK_SIZE(ip6);
256 payload_len = GET_BE_U_2(ip6->ip6_plen);
257 /*
258 * RFC 1883 says:
259 *
260 * The Payload Length field in the IPv6 header must be set to zero
261 * in every packet that carries the Jumbo Payload option. If a
262 * packet is received with a valid Jumbo Payload option present and
263 * a non-zero IPv6 Payload Length field, an ICMP Parameter Problem
264 * message, Code 0, should be sent to the packet's source, pointing
265 * to the Option Type field of the Jumbo Payload option.
266 *
267 * Later versions of the IPv6 spec don't discuss the Jumbo Payload
268 * option.
269 *
270 * If the payload length is 0, we temporarily just set the total
271 * length to the remaining data in the packet (which, for Ethernet,
272 * could include frame padding, but if it's a Jumbo Payload frame,
273 * it shouldn't even be sendable over Ethernet, so we don't worry
274 * about that), so we can process the extension headers in order
275 * to *find* a Jumbo Payload hop-by-hop option and, when we've
276 * processed all the extension headers, check whether we found
277 * a Jumbo Payload option, and fail if we haven't.
278 */
279 if (payload_len != 0) {
280 len = payload_len + sizeof(struct ip6_hdr);
281 if (length < len)
282 ND_PRINT("truncated-ip6 - %u bytes missing!",
283 len - length);
284 } else
285 len = length + sizeof(struct ip6_hdr);
286
287 ph = 255;
288 nh = GET_U_1(ip6->ip6_nxt);
289 if (ndo->ndo_vflag) {
290 flow = GET_BE_U_4(ip6->ip6_flow);
291 ND_PRINT("(");
292 /* RFC 2460 */
293 if (flow & 0x0ff00000)
294 ND_PRINT("class 0x%02x, ", (flow & 0x0ff00000) >> 20);
295 if (flow & 0x000fffff)
296 ND_PRINT("flowlabel 0x%05x, ", flow & 0x000fffff);
297
298 ND_PRINT("hlim %u, next-header %s (%u) payload length: %u) ",
299 GET_U_1(ip6->ip6_hlim),
300 tok2str(ipproto_values,"unknown",nh),
301 nh,
302 payload_len);
303 }
304
305 /*
306 * Cut off the snapshot length to the end of the IP payload.
307 */
308 if (!nd_push_snaplen(ndo, bp, len)) {
309 (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
310 "%s: can't push snaplen on buffer stack", __func__);
311 }
312
313 cp = (const u_char *)ip6;
314 advance = sizeof(struct ip6_hdr);
315 total_advance = 0;
316 /* Process extension headers */
317 found_extension_header = 0;
318 found_jumbo = 0;
319 found_hbh = 0;
320 while (cp < ndo->ndo_snapend && advance > 0) {
321 if (len < (u_int)advance)
322 goto trunc;
323 cp += advance;
324 len -= advance;
325 total_advance += advance;
326
327 if (cp == (const u_char *)(ip6 + 1) &&
328 nh != IPPROTO_TCP && nh != IPPROTO_UDP &&
329 nh != IPPROTO_DCCP && nh != IPPROTO_SCTP) {
330 ND_PRINT("%s > %s: ", GET_IP6ADDR_STRING(ip6->ip6_src),
331 GET_IP6ADDR_STRING(ip6->ip6_dst));
332 }
333
334 switch (nh) {
335
336 case IPPROTO_HOPOPTS:
337 /*
338 * The Hop-by-Hop Options header, when present,
339 * must immediately follow the IPv6 header (RFC 8200)
340 */
341 if (found_hbh == 1) {
342 ND_PRINT("[The Hop-by-Hop Options header was already found]");
343 nd_print_invalid(ndo);
344 return;
345 }
346 if (ph != 255) {
347 ND_PRINT("[The Hop-by-Hop Options header don't follow the IPv6 header]");
348 nd_print_invalid(ndo);
349 return;
350 }
351 advance = hbhopt_process(ndo, cp, &found_jumbo, &payload_len);
352 if (payload_len == 0 && found_jumbo == 0) {
353 ND_PRINT("[No valid Jumbo Payload Hop-by-Hop option found]");
354 nd_print_invalid(ndo);
355 return;
356 }
357 if (advance < 0) {
358 nd_pop_packet_info(ndo);
359 return;
360 }
361 found_extension_header = 1;
362 found_hbh = 1;
363 nh = GET_U_1(cp);
364 break;
365
366 case IPPROTO_DSTOPTS:
367 advance = dstopt_process(ndo, cp);
368 if (advance < 0) {
369 nd_pop_packet_info(ndo);
370 return;
371 }
372 found_extension_header = 1;
373 nh = GET_U_1(cp);
374 break;
375
376 case IPPROTO_FRAGMENT:
377 advance = frag6_print(ndo, cp, (const u_char *)ip6);
378 if (advance < 0 || ndo->ndo_snapend <= cp + advance) {
379 nd_pop_packet_info(ndo);
380 return;
381 }
382 found_extension_header = 1;
383 nh = GET_U_1(cp);
384 fragmented = 1;
385 break;
386
387 case IPPROTO_MOBILITY_OLD:
388 case IPPROTO_MOBILITY:
389 /*
390 * XXX - we don't use "advance"; RFC 3775 says that
391 * the next header field in a mobility header
392 * should be IPPROTO_NONE, but speaks of
393 * the possibility of a future extension in
394 * which payload can be piggybacked atop a
395 * mobility header.
396 */
397 advance = mobility_print(ndo, cp, (const u_char *)ip6);
398 if (advance < 0) {
399 nd_pop_packet_info(ndo);
400 return;
401 }
402 found_extension_header = 1;
403 nh = GET_U_1(cp);
404 nd_pop_packet_info(ndo);
405 return;
406
407 case IPPROTO_ROUTING:
408 ND_TCHECK_1(cp);
409 advance = rt6_print(ndo, cp, (const u_char *)ip6);
410 if (advance < 0) {
411 nd_pop_packet_info(ndo);
412 return;
413 }
414 found_extension_header = 1;
415 nh = GET_U_1(cp);
416 break;
417
418 default:
419 /*
420 * Not an extension header; hand off to the
421 * IP protocol demuxer.
422 */
423 if (found_jumbo) {
424 /*
425 * We saw a Jumbo Payload option.
426 * Set the length to the payload length
427 * plus the IPv6 header length, and
428 * change the snapshot length accordingly.
429 *
430 * But make sure it's not shorter than
431 * the total number of bytes we've
432 * processed so far.
433 */
434 len = payload_len + sizeof(struct ip6_hdr);
435 if (len < total_advance)
436 goto trunc;
437 if (length < len)
438 ND_PRINT("truncated-ip6 - %u bytes missing!",
439 len - length);
440 nd_change_snaplen(ndo, bp, len);
441
442 /*
443 * Now subtract the length of the IPv6
444 * header plus extension headers to get
445 * the payload length.
446 */
447 len -= total_advance;
448 } else {
449 /*
450 * We didn't see a Jumbo Payload option;
451 * was the payload length zero?
452 */
453 if (payload_len == 0) {
454 /*
455 * Yes. If we found an extension
456 * header, treat that as a truncated
457 * packet header, as there was
458 * no payload to contain an
459 * extension header.
460 */
461 if (found_extension_header)
462 goto trunc;
463
464 /*
465 * OK, we didn't see any extension
466 * header, but that means we have
467 * no payload, so set the length
468 * to the IPv6 header length,
469 * and change the snapshot length
470 * accordingly.
471 */
472 len = sizeof(struct ip6_hdr);
473 nd_change_snaplen(ndo, bp, len);
474
475 /*
476 * Now subtract the length of
477 * the IPv6 header plus extension
478 * headers (there weren't any, so
479 * that's just the IPv6 header
480 * length) to get the payload length.
481 */
482 len -= total_advance;
483 }
484 }
485 ip_demux_print(ndo, cp, len, 6, fragmented,
486 GET_U_1(ip6->ip6_hlim), nh, bp);
487 nd_pop_packet_info(ndo);
488 return;
489 }
490 ph = nh;
491
492 /* ndo_protocol reassignment after xxx_print() calls */
493 ndo->ndo_protocol = "ip6";
494 }
495
496 nd_pop_packet_info(ndo);
497 return;
498 trunc:
499 nd_print_trunc(ndo);
500 return;
501
502 invalid:
503 nd_print_invalid(ndo);
504 }
[mirror] the TCPdump network dissector