]> The Tcpdump Group git mirrors - tcpdump/blob - print-mobility.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data
[tcpdump] / print-mobility.c
1 /*
2 * Copyright (C) 2002 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 /* \summary: IPv6 mobility printer */
31 /* RFC 3775 */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 #include <netdissect-stdinc.h>
38
39 #include "netdissect.h"
40 #include "addrtoname.h"
41 #include "extract.h"
42
43 #include "ip6.h"
44
45 static const char tstr[] = "[|MOBILITY]";
46
47 /* Mobility header */
48 struct ip6_mobility {
49 uint8_t ip6m_pproto; /* following payload protocol (for PG) */
50 uint8_t ip6m_len; /* length in units of 8 octets */
51 uint8_t ip6m_type; /* message type */
52 uint8_t reserved; /* reserved */
53 uint16_t ip6m_cksum; /* sum of IPv6 pseudo-header and MH */
54 union {
55 uint16_t ip6m_un_data16[1]; /* type-specific field */
56 uint8_t ip6m_un_data8[2]; /* type-specific field */
57 } ip6m_dataun;
58 };
59
60 #define ip6m_data16 ip6m_dataun.ip6m_un_data16
61 #define ip6m_data8 ip6m_dataun.ip6m_un_data8
62
63 #define IP6M_MINLEN 8
64
65 /* http://www.iana.org/assignments/mobility-parameters/mobility-parameters.xhtml */
66
67 /* message type */
68 #define IP6M_BINDING_REQUEST 0 /* Binding Refresh Request */
69 #define IP6M_HOME_TEST_INIT 1 /* Home Test Init */
70 #define IP6M_CAREOF_TEST_INIT 2 /* Care-of Test Init */
71 #define IP6M_HOME_TEST 3 /* Home Test */
72 #define IP6M_CAREOF_TEST 4 /* Care-of Test */
73 #define IP6M_BINDING_UPDATE 5 /* Binding Update */
74 #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
75 #define IP6M_BINDING_ERROR 7 /* Binding Error */
76 #define IP6M_MAX 7
77
78 static const struct tok ip6m_str[] = {
79 { IP6M_BINDING_REQUEST, "BRR" },
80 { IP6M_HOME_TEST_INIT, "HoTI" },
81 { IP6M_CAREOF_TEST_INIT, "CoTI" },
82 { IP6M_HOME_TEST, "HoT" },
83 { IP6M_CAREOF_TEST, "CoT" },
84 { IP6M_BINDING_UPDATE, "BU" },
85 { IP6M_BINDING_ACK, "BA" },
86 { IP6M_BINDING_ERROR, "BE" },
87 { 0, NULL }
88 };
89
90 static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
91 IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
92 IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
93 IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
94 IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
95 IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
96 IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
97 IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
98 IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
99 };
100
101 /* Mobility Header Options */
102 #define IP6MOPT_MINLEN 2
103 #define IP6MOPT_PAD1 0x0 /* Pad1 */
104 #define IP6MOPT_PADN 0x1 /* PadN */
105 #define IP6MOPT_REFRESH 0x2 /* Binding Refresh Advice */
106 #define IP6MOPT_REFRESH_MINLEN 4
107 #define IP6MOPT_ALTCOA 0x3 /* Alternate Care-of Address */
108 #define IP6MOPT_ALTCOA_MINLEN 18
109 #define IP6MOPT_NONCEID 0x4 /* Nonce Indices */
110 #define IP6MOPT_NONCEID_MINLEN 6
111 #define IP6MOPT_AUTH 0x5 /* Binding Authorization Data */
112 #define IP6MOPT_AUTH_MINLEN 12
113
114 static int
115 mobility_opt_print(netdissect_options *ndo,
116 const u_char *bp, const unsigned len)
117 {
118 unsigned i, optlen;
119
120 for (i = 0; i < len; i += optlen) {
121 ND_TCHECK(bp[i]);
122 if (bp[i] == IP6MOPT_PAD1)
123 optlen = 1;
124 else {
125 if (i + 1 < len) {
126 ND_TCHECK(bp[i + 1]);
127 optlen = bp[i + 1] + 2;
128 }
129 else
130 goto trunc;
131 }
132 if (i + optlen > len)
133 goto trunc;
134 ND_TCHECK(bp[i + optlen]);
135
136 switch (bp[i]) {
137 case IP6MOPT_PAD1:
138 ND_PRINT((ndo, "(pad1)"));
139 break;
140 case IP6MOPT_PADN:
141 if (len - i < IP6MOPT_MINLEN) {
142 ND_PRINT((ndo, "(padn: trunc)"));
143 goto trunc;
144 }
145 ND_PRINT((ndo, "(padn)"));
146 break;
147 case IP6MOPT_REFRESH:
148 if (len - i < IP6MOPT_REFRESH_MINLEN) {
149 ND_PRINT((ndo, "(refresh: trunc)"));
150 goto trunc;
151 }
152 /* units of 4 secs */
153 ND_TCHECK_16BITS(&bp[i+2]);
154 ND_PRINT((ndo, "(refresh: %u)",
155 EXTRACT_16BITS(&bp[i+2]) << 2));
156 break;
157 case IP6MOPT_ALTCOA:
158 if (len - i < IP6MOPT_ALTCOA_MINLEN) {
159 ND_PRINT((ndo, "(altcoa: trunc)"));
160 goto trunc;
161 }
162 ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2])));
163 break;
164 case IP6MOPT_NONCEID:
165 if (len - i < IP6MOPT_NONCEID_MINLEN) {
166 ND_PRINT((ndo, "(ni: trunc)"));
167 goto trunc;
168 }
169 ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)",
170 EXTRACT_16BITS(&bp[i+2]),
171 EXTRACT_16BITS(&bp[i+4])));
172 break;
173 case IP6MOPT_AUTH:
174 if (len - i < IP6MOPT_AUTH_MINLEN) {
175 ND_PRINT((ndo, "(auth: trunc)"));
176 goto trunc;
177 }
178 ND_PRINT((ndo, "(auth)"));
179 break;
180 default:
181 if (len - i < IP6MOPT_MINLEN) {
182 ND_PRINT((ndo, "(sopt_type %u: trunc)", bp[i]));
183 goto trunc;
184 }
185 ND_PRINT((ndo, "(type-0x%02x: len=%u)", bp[i], bp[i + 1]));
186 break;
187 }
188 }
189 return 0;
190
191 trunc:
192 return 1;
193 }
194
195 /*
196 * Mobility Header
197 */
198 int
199 mobility_print(netdissect_options *ndo,
200 const u_char *bp, const u_char *bp2 _U_)
201 {
202 const struct ip6_mobility *mh;
203 const u_char *ep;
204 unsigned mhlen, hlen;
205 uint8_t type;
206
207 mh = (const struct ip6_mobility *)bp;
208
209 /* 'ep' points to the end of available data. */
210 ep = ndo->ndo_snapend;
211
212 if (!ND_TTEST(mh->ip6m_len)) {
213 /*
214 * There's not enough captured data to include the
215 * mobility header length.
216 *
217 * Our caller expects us to return the length, however,
218 * so return a value that will run to the end of the
219 * captured data.
220 *
221 * XXX - "ip6_print()" doesn't do anything with the
222 * returned length, however, as it breaks out of the
223 * header-processing loop.
224 */
225 mhlen = ep - bp;
226 goto trunc;
227 }
228 mhlen = (mh->ip6m_len + 1) << 3;
229
230 /* XXX ip6m_cksum */
231
232 ND_TCHECK(mh->ip6m_type);
233 type = mh->ip6m_type;
234 if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
235 ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
236 goto trunc;
237 }
238 ND_PRINT((ndo, "mobility: %s", tok2str(ip6m_str, "type-#%u", type)));
239 switch (type) {
240 case IP6M_BINDING_REQUEST:
241 hlen = IP6M_MINLEN;
242 break;
243 case IP6M_HOME_TEST_INIT:
244 case IP6M_CAREOF_TEST_INIT:
245 hlen = IP6M_MINLEN;
246 if (ndo->ndo_vflag) {
247 ND_TCHECK_32BITS(&bp[hlen + 4]);
248 ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
249 type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
250 EXTRACT_32BITS(&bp[hlen]),
251 EXTRACT_32BITS(&bp[hlen + 4])));
252 }
253 hlen += 8;
254 break;
255 case IP6M_HOME_TEST:
256 case IP6M_CAREOF_TEST:
257 ND_TCHECK(mh->ip6m_data16[0]);
258 ND_PRINT((ndo, " nonce id=0x%x", EXTRACT_16BITS(&mh->ip6m_data16[0])));
259 hlen = IP6M_MINLEN;
260 if (ndo->ndo_vflag) {
261 ND_TCHECK_32BITS(&bp[hlen + 4]);
262 ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
263 type == IP6M_HOME_TEST ? "Home" : "Care-of",
264 EXTRACT_32BITS(&bp[hlen]),
265 EXTRACT_32BITS(&bp[hlen + 4])));
266 }
267 hlen += 8;
268 if (ndo->ndo_vflag) {
269 ND_TCHECK_32BITS(&bp[hlen + 4]);
270 ND_PRINT((ndo, " %s Keygen Token=%08x:%08x",
271 type == IP6M_HOME_TEST ? "Home" : "Care-of",
272 EXTRACT_32BITS(&bp[hlen]),
273 EXTRACT_32BITS(&bp[hlen + 4])));
274 }
275 hlen += 8;
276 break;
277 case IP6M_BINDING_UPDATE:
278 ND_TCHECK(mh->ip6m_data16[0]);
279 ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&mh->ip6m_data16[0])));
280 hlen = IP6M_MINLEN;
281 ND_TCHECK_16BITS(&bp[hlen]);
282 if (bp[hlen] & 0xf0) {
283 ND_PRINT((ndo, " "));
284 if (bp[hlen] & 0x80)
285 ND_PRINT((ndo, "A"));
286 if (bp[hlen] & 0x40)
287 ND_PRINT((ndo, "H"));
288 if (bp[hlen] & 0x20)
289 ND_PRINT((ndo, "L"));
290 if (bp[hlen] & 0x10)
291 ND_PRINT((ndo, "K"));
292 }
293 /* Reserved (4bits) */
294 hlen += 1;
295 /* Reserved (8bits) */
296 hlen += 1;
297 ND_TCHECK_16BITS(&bp[hlen]);
298 /* units of 4 secs */
299 ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
300 hlen += 2;
301 break;
302 case IP6M_BINDING_ACK:
303 ND_TCHECK(mh->ip6m_data8[0]);
304 ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
305 ND_TCHECK(mh->ip6m_data8[1]);
306 if (mh->ip6m_data8[1] & 0x80)
307 ND_PRINT((ndo, " K"));
308 /* Reserved (7bits) */
309 hlen = IP6M_MINLEN;
310 ND_TCHECK_16BITS(&bp[hlen]);
311 ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&bp[hlen])));
312 hlen += 2;
313 ND_TCHECK_16BITS(&bp[hlen]);
314 /* units of 4 secs */
315 ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
316 hlen += 2;
317 break;
318 case IP6M_BINDING_ERROR:
319 ND_TCHECK(mh->ip6m_data8[0]);
320 ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
321 /* Reserved */
322 hlen = IP6M_MINLEN;
323 ND_TCHECK2(bp[hlen], 16);
324 ND_PRINT((ndo, " homeaddr %s", ip6addr_string(ndo, &bp[hlen])));
325 hlen += 16;
326 break;
327 default:
328 ND_PRINT((ndo, " len=%u", mh->ip6m_len));
329 return(mhlen);
330 break;
331 }
332 if (ndo->ndo_vflag)
333 if (mobility_opt_print(ndo, &bp[hlen], mhlen - hlen))
334 goto trunc;
335
336 return(mhlen);
337
338 trunc:
339 ND_PRINT((ndo, "%s", tstr));
340 return(-1);
341 }
[mirror] the TCPdump network dissector