]> The Tcpdump Group git mirrors - tcpdump/blob - print-mobility.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CVE-2017-13009/IPv6 mobility: Add a bounds check.
[tcpdump] / print-mobility.c
1 /*
2 * Copyright (C) 2002 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 /* \summary: IPv6 mobility printer */
31 /* RFC 3775 */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 #include <netdissect-stdinc.h>
38
39 #include "ip6.h"
40 #include "netdissect.h"
41 #include "addrtoname.h"
42 #include "extract.h"
43
44 static const char tstr[] = "[|MOBILITY]";
45
46 /* Mobility header */
47 struct ip6_mobility {
48 uint8_t ip6m_pproto; /* following payload protocol (for PG) */
49 uint8_t ip6m_len; /* length in units of 8 octets */
50 uint8_t ip6m_type; /* message type */
51 uint8_t reserved; /* reserved */
52 uint16_t ip6m_cksum; /* sum of IPv6 pseudo-header and MH */
53 union {
54 uint16_t ip6m_un_data16[1]; /* type-specific field */
55 uint8_t ip6m_un_data8[2]; /* type-specific field */
56 } ip6m_dataun;
57 };
58
59 #define ip6m_data16 ip6m_dataun.ip6m_un_data16
60 #define ip6m_data8 ip6m_dataun.ip6m_un_data8
61
62 #define IP6M_MINLEN 8
63
64 /* http://www.iana.org/assignments/mobility-parameters/mobility-parameters.xhtml */
65
66 /* message type */
67 #define IP6M_BINDING_REQUEST 0 /* Binding Refresh Request */
68 #define IP6M_HOME_TEST_INIT 1 /* Home Test Init */
69 #define IP6M_CAREOF_TEST_INIT 2 /* Care-of Test Init */
70 #define IP6M_HOME_TEST 3 /* Home Test */
71 #define IP6M_CAREOF_TEST 4 /* Care-of Test */
72 #define IP6M_BINDING_UPDATE 5 /* Binding Update */
73 #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
74 #define IP6M_BINDING_ERROR 7 /* Binding Error */
75 #define IP6M_MAX 7
76
77 static const struct tok ip6m_str[] = {
78 { IP6M_BINDING_REQUEST, "BRR" },
79 { IP6M_HOME_TEST_INIT, "HoTI" },
80 { IP6M_CAREOF_TEST_INIT, "CoTI" },
81 { IP6M_HOME_TEST, "HoT" },
82 { IP6M_CAREOF_TEST, "CoT" },
83 { IP6M_BINDING_UPDATE, "BU" },
84 { IP6M_BINDING_ACK, "BA" },
85 { IP6M_BINDING_ERROR, "BE" },
86 { 0, NULL }
87 };
88
89 static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
90 IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
91 IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
92 IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
93 IP6M_MINLEN + 16, /* IP6M_HOME_TEST */
94 IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
95 IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
96 IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
97 IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */
98 };
99
100 /* Mobility Header Options */
101 #define IP6MOPT_MINLEN 2
102 #define IP6MOPT_PAD1 0x0 /* Pad1 */
103 #define IP6MOPT_PADN 0x1 /* PadN */
104 #define IP6MOPT_REFRESH 0x2 /* Binding Refresh Advice */
105 #define IP6MOPT_REFRESH_MINLEN 4
106 #define IP6MOPT_ALTCOA 0x3 /* Alternate Care-of Address */
107 #define IP6MOPT_ALTCOA_MINLEN 18
108 #define IP6MOPT_NONCEID 0x4 /* Nonce Indices */
109 #define IP6MOPT_NONCEID_MINLEN 6
110 #define IP6MOPT_AUTH 0x5 /* Binding Authorization Data */
111 #define IP6MOPT_AUTH_MINLEN 12
112
113 static int
114 mobility_opt_print(netdissect_options *ndo,
115 const u_char *bp, const unsigned len)
116 {
117 unsigned i, optlen;
118
119 for (i = 0; i < len; i += optlen) {
120 ND_TCHECK(bp[i]);
121 if (bp[i] == IP6MOPT_PAD1)
122 optlen = 1;
123 else {
124 if (i + 1 < len) {
125 ND_TCHECK(bp[i + 1]);
126 optlen = bp[i + 1] + 2;
127 }
128 else
129 goto trunc;
130 }
131 if (i + optlen > len)
132 goto trunc;
133 ND_TCHECK(bp[i + optlen]);
134
135 switch (bp[i]) {
136 case IP6MOPT_PAD1:
137 ND_PRINT((ndo, "(pad1)"));
138 break;
139 case IP6MOPT_PADN:
140 if (len - i < IP6MOPT_MINLEN) {
141 ND_PRINT((ndo, "(padn: trunc)"));
142 goto trunc;
143 }
144 ND_PRINT((ndo, "(padn)"));
145 break;
146 case IP6MOPT_REFRESH:
147 if (len - i < IP6MOPT_REFRESH_MINLEN) {
148 ND_PRINT((ndo, "(refresh: trunc)"));
149 goto trunc;
150 }
151 /* units of 4 secs */
152 ND_PRINT((ndo, "(refresh: %u)",
153 EXTRACT_16BITS(&bp[i+2]) << 2));
154 break;
155 case IP6MOPT_ALTCOA:
156 if (len - i < IP6MOPT_ALTCOA_MINLEN) {
157 ND_PRINT((ndo, "(altcoa: trunc)"));
158 goto trunc;
159 }
160 ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2])));
161 break;
162 case IP6MOPT_NONCEID:
163 if (len - i < IP6MOPT_NONCEID_MINLEN) {
164 ND_PRINT((ndo, "(ni: trunc)"));
165 goto trunc;
166 }
167 ND_PRINT((ndo, "(ni: ho=0x%04x co=0x%04x)",
168 EXTRACT_16BITS(&bp[i+2]),
169 EXTRACT_16BITS(&bp[i+4])));
170 break;
171 case IP6MOPT_AUTH:
172 if (len - i < IP6MOPT_AUTH_MINLEN) {
173 ND_PRINT((ndo, "(auth: trunc)"));
174 goto trunc;
175 }
176 ND_PRINT((ndo, "(auth)"));
177 break;
178 default:
179 if (len - i < IP6MOPT_MINLEN) {
180 ND_PRINT((ndo, "(sopt_type %u: trunc)", bp[i]));
181 goto trunc;
182 }
183 ND_PRINT((ndo, "(type-0x%02x: len=%u)", bp[i], bp[i + 1]));
184 break;
185 }
186 }
187 return 0;
188
189 trunc:
190 return 1;
191 }
192
193 /*
194 * Mobility Header
195 */
196 int
197 mobility_print(netdissect_options *ndo,
198 const u_char *bp, const u_char *bp2 _U_)
199 {
200 const struct ip6_mobility *mh;
201 const u_char *ep;
202 unsigned mhlen, hlen;
203 uint8_t type;
204
205 mh = (const struct ip6_mobility *)bp;
206
207 /* 'ep' points to the end of available data. */
208 ep = ndo->ndo_snapend;
209
210 if (!ND_TTEST(mh->ip6m_len)) {
211 /*
212 * There's not enough captured data to include the
213 * mobility header length.
214 *
215 * Our caller expects us to return the length, however,
216 * so return a value that will run to the end of the
217 * captured data.
218 *
219 * XXX - "ip6_print()" doesn't do anything with the
220 * returned length, however, as it breaks out of the
221 * header-processing loop.
222 */
223 mhlen = ep - bp;
224 goto trunc;
225 }
226 mhlen = (mh->ip6m_len + 1) << 3;
227
228 /* XXX ip6m_cksum */
229
230 ND_TCHECK(mh->ip6m_type);
231 type = mh->ip6m_type;
232 if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
233 ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
234 goto trunc;
235 }
236 ND_PRINT((ndo, "mobility: %s", tok2str(ip6m_str, "type-#%u", type)));
237 switch (type) {
238 case IP6M_BINDING_REQUEST:
239 hlen = IP6M_MINLEN;
240 break;
241 case IP6M_HOME_TEST_INIT:
242 case IP6M_CAREOF_TEST_INIT:
243 hlen = IP6M_MINLEN;
244 if (ndo->ndo_vflag) {
245 ND_TCHECK_32BITS(&bp[hlen + 4]);
246 ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
247 type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
248 EXTRACT_32BITS(&bp[hlen]),
249 EXTRACT_32BITS(&bp[hlen + 4])));
250 }
251 hlen += 8;
252 break;
253 case IP6M_HOME_TEST:
254 case IP6M_CAREOF_TEST:
255 ND_TCHECK(mh->ip6m_data16[0]);
256 ND_PRINT((ndo, " nonce id=0x%x", EXTRACT_16BITS(&mh->ip6m_data16[0])));
257 hlen = IP6M_MINLEN;
258 if (ndo->ndo_vflag) {
259 ND_TCHECK_32BITS(&bp[hlen + 4]);
260 ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
261 type == IP6M_HOME_TEST ? "Home" : "Care-of",
262 EXTRACT_32BITS(&bp[hlen]),
263 EXTRACT_32BITS(&bp[hlen + 4])));
264 }
265 hlen += 8;
266 if (ndo->ndo_vflag) {
267 ND_TCHECK_32BITS(&bp[hlen + 4]);
268 ND_PRINT((ndo, " %s Keygen Token=%08x:%08x",
269 type == IP6M_HOME_TEST ? "Home" : "Care-of",
270 EXTRACT_32BITS(&bp[hlen]),
271 EXTRACT_32BITS(&bp[hlen + 4])));
272 }
273 hlen += 8;
274 break;
275 case IP6M_BINDING_UPDATE:
276 ND_TCHECK(mh->ip6m_data16[0]);
277 ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&mh->ip6m_data16[0])));
278 hlen = IP6M_MINLEN;
279 ND_TCHECK_16BITS(&bp[hlen]);
280 if (bp[hlen] & 0xf0) {
281 ND_PRINT((ndo, " "));
282 if (bp[hlen] & 0x80)
283 ND_PRINT((ndo, "A"));
284 if (bp[hlen] & 0x40)
285 ND_PRINT((ndo, "H"));
286 if (bp[hlen] & 0x20)
287 ND_PRINT((ndo, "L"));
288 if (bp[hlen] & 0x10)
289 ND_PRINT((ndo, "K"));
290 }
291 /* Reserved (4bits) */
292 hlen += 1;
293 /* Reserved (8bits) */
294 hlen += 1;
295 ND_TCHECK_16BITS(&bp[hlen]);
296 /* units of 4 secs */
297 ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
298 hlen += 2;
299 break;
300 case IP6M_BINDING_ACK:
301 ND_TCHECK(mh->ip6m_data8[0]);
302 ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
303 ND_TCHECK(mh->ip6m_data8[1]);
304 if (mh->ip6m_data8[1] & 0x80)
305 ND_PRINT((ndo, " K"));
306 /* Reserved (7bits) */
307 hlen = IP6M_MINLEN;
308 ND_TCHECK_16BITS(&bp[hlen]);
309 ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&bp[hlen])));
310 hlen += 2;
311 ND_TCHECK_16BITS(&bp[hlen]);
312 /* units of 4 secs */
313 ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
314 hlen += 2;
315 break;
316 case IP6M_BINDING_ERROR:
317 ND_TCHECK(mh->ip6m_data8[0]);
318 ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
319 /* Reserved */
320 hlen = IP6M_MINLEN;
321 ND_TCHECK2(bp[hlen], 16);
322 ND_PRINT((ndo, " homeaddr %s", ip6addr_string(ndo, &bp[hlen])));
323 hlen += 16;
324 break;
325 default:
326 ND_PRINT((ndo, " len=%u", mh->ip6m_len));
327 return(mhlen);
328 break;
329 }
330 if (ndo->ndo_vflag)
331 if (mobility_opt_print(ndo, &bp[hlen], mhlen - hlen))
332 goto trunc;
333
334 return(mhlen);
335
336 trunc:
337 ND_PRINT((ndo, "%s", tstr));
338 return(-1);
339 }
[mirror] the TCPdump network dissector