]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-mobility.c
CVE-2017-13009/IPv6 mobility: Add a bounds check.
[tcpdump] / print-mobility.c
index ca5541330ca981834352ab6b50cba95ad3d0f5a3..d3ca0cabd7e771ff9679b0fd989c7af74c6a26a6 100644 (file)
@@ -28,6 +28,7 @@
  */
 
 /* \summary: IPv6 mobility printer */
+/* RFC 3775 */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -241,7 +242,7 @@ mobility_print(netdissect_options *ndo,
        case IP6M_CAREOF_TEST_INIT:
                hlen = IP6M_MINLEN;
                if (ndo->ndo_vflag) {
-                       ND_TCHECK2(*mh, hlen + 8);
+                       ND_TCHECK_32BITS(&bp[hlen + 4]);
                        ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
                               type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
                               EXTRACT_32BITS(&bp[hlen]),
@@ -255,7 +256,7 @@ mobility_print(netdissect_options *ndo,
                ND_PRINT((ndo, " nonce id=0x%x", EXTRACT_16BITS(&mh->ip6m_data16[0])));
                hlen = IP6M_MINLEN;
                if (ndo->ndo_vflag) {
-                       ND_TCHECK2(*mh, hlen + 8);
+                       ND_TCHECK_32BITS(&bp[hlen + 4]);
                        ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
                               type == IP6M_HOME_TEST ? "Home" : "Care-of",
                               EXTRACT_32BITS(&bp[hlen]),
@@ -263,7 +264,7 @@ mobility_print(netdissect_options *ndo,
                }
                hlen += 8;
                if (ndo->ndo_vflag) {
-                       ND_TCHECK2(*mh, hlen + 8);
+                       ND_TCHECK_32BITS(&bp[hlen + 4]);
                        ND_PRINT((ndo, " %s Keygen Token=%08x:%08x",
                               type == IP6M_HOME_TEST ? "Home" : "Care-of",
                               EXTRACT_32BITS(&bp[hlen]),
@@ -275,22 +276,23 @@ mobility_print(netdissect_options *ndo,
                ND_TCHECK(mh->ip6m_data16[0]);
                ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&mh->ip6m_data16[0])));
                hlen = IP6M_MINLEN;
-               ND_TCHECK2(*mh, hlen + 1);
-               if (bp[hlen] & 0xf0)
+               ND_TCHECK_16BITS(&bp[hlen]);
+               if (bp[hlen] & 0xf0) {
                        ND_PRINT((ndo, " "));
-               if (bp[hlen] & 0x80)
-                       ND_PRINT((ndo, "A"));
-               if (bp[hlen] & 0x40)
-                       ND_PRINT((ndo, "H"));
-               if (bp[hlen] & 0x20)
-                       ND_PRINT((ndo, "L"));
-               if (bp[hlen] & 0x10)
-                       ND_PRINT((ndo, "K"));
+                       if (bp[hlen] & 0x80)
+                               ND_PRINT((ndo, "A"));
+                       if (bp[hlen] & 0x40)
+                               ND_PRINT((ndo, "H"));
+                       if (bp[hlen] & 0x20)
+                               ND_PRINT((ndo, "L"));
+                       if (bp[hlen] & 0x10)
+                               ND_PRINT((ndo, "K"));
+               }
                /* Reserved (4bits) */
                hlen += 1;
                /* Reserved (8bits) */
                hlen += 1;
-               ND_TCHECK2(*mh, hlen + 2);
+               ND_TCHECK_16BITS(&bp[hlen]);
                /* units of 4 secs */
                ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
                hlen += 2;
@@ -298,14 +300,15 @@ mobility_print(netdissect_options *ndo,
        case IP6M_BINDING_ACK:
                ND_TCHECK(mh->ip6m_data8[0]);
                ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
+               ND_TCHECK(mh->ip6m_data8[1]);
                if (mh->ip6m_data8[1] & 0x80)
                        ND_PRINT((ndo, " K"));
                /* Reserved (7bits) */
                hlen = IP6M_MINLEN;
-               ND_TCHECK2(*mh, hlen + 2);
+               ND_TCHECK_16BITS(&bp[hlen]);
                ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&bp[hlen])));
                hlen += 2;
-               ND_TCHECK2(*mh, hlen + 2);
+               ND_TCHECK_16BITS(&bp[hlen]);
                /* units of 4 secs */
                ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
                hlen += 2;
@@ -315,7 +318,7 @@ mobility_print(netdissect_options *ndo,
                ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
                /* Reserved */
                hlen = IP6M_MINLEN;
-               ND_TCHECK2(*mh, hlen + 16);
+               ND_TCHECK2(bp[hlen], 16);
                ND_PRINT((ndo, " homeaddr %s", ip6addr_string(ndo, &bp[hlen])));
                hlen += 16;
                break;