X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/2389eb02e5dc0925a0404aea7fd02f286f26e93f..d0aad4b7edc05d9ecf6b9c6615a47fd5c58d732c:/print-tcp.c diff --git a/print-tcp.c b/print-tcp.c index ff5279c3..59f30558 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -43,6 +43,8 @@ __RCSID("$NetBSD: print-tcp.c,v 1.8 2007/07/24 11:53:48 drochner Exp $"); #include "addrtoname.h" #include "extract.h" +#include "diag-control.h" + #include "tcp.h" #include "ip.h" @@ -172,6 +174,7 @@ tcp_print(netdissect_options *ndo, uint16_t magic; int rev; const struct ip6_hdr *ip6; + u_int header_len; /* Header length in bytes */ ndo->ndo_protocol = "tcp"; tp = (const struct tcphdr *)bp; @@ -298,7 +301,7 @@ tcp_print(netdissect_options *ndo, if (th->nxt == NULL) (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, - "tcp_print: calloc"); + "%s: calloc", __func__); } th->addr = tha; if (rev) @@ -356,7 +359,7 @@ tcp_print(netdissect_options *ndo, if (th->nxt == NULL) (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, - "tcp_print: calloc"); + "%s: calloc", __func__); } th->addr = tha; if (rev) @@ -612,11 +615,28 @@ tcp_print(netdissect_options *ndo, break; case TCPOPT_MPTCP: + { + const u_char *snapend_save; + int ret; + datalen = len - 2; LENCHECK(datalen); - if (!mptcp_print(ndo, cp-2, len, flags)) + /* Update the snapend to the end of the option + * before calling mptcp_print(). Some options + * (MPTCP or others) may be present after a + * MPTCP option. This prevents that, in + * mptcp_print(), the remaining length < the + * remaining caplen. + */ + snapend_save = ndo->ndo_snapend; + ndo->ndo_snapend = ND_MIN(cp - 2 + len, + ndo->ndo_snapend); + ret = mptcp_print(ndo, cp - 2, len, flags); + ndo->ndo_snapend = snapend_save; + if (!ret) goto bad; break; + } case TCPOPT_FASTOPEN: datalen = len - 2; @@ -686,7 +706,17 @@ tcp_print(netdissect_options *ndo, /* * Decode payload if necessary. */ - bp += TH_OFF(tp) * 4; + header_len = TH_OFF(tp) * 4; + /* + * Do a bounds check before decoding the payload. + * At least the header data is required. + */ + if (!ND_TTEST_LEN(bp, header_len)) { + ND_PRINT(" [remaining caplen(%u) < header length(%u)]", + ND_BYTES_AVAILABLE_AFTER(bp), header_len); + nd_trunc_longjmp(ndo); + } + bp += header_len; if ((flags & TH_RST) && ndo->ndo_vflag) { print_tcp_rst_data(ndo, bp, length); return; @@ -859,7 +889,7 @@ print_tcp_fastopen_option(netdissect_options *ndo, const u_char *cp, } #ifdef HAVE_LIBCRYPTO -USES_APPLE_DEPRECATED_API +DIAG_OFF_DEPRECATION static int tcp_verify_signature(netdissect_options *ndo, const struct ip *ip, const struct tcphdr *tp, @@ -939,5 +969,5 @@ tcp_verify_signature(netdissect_options *ndo, else return (SIGNATURE_INVALID); } -USES_APPLE_RST +DIAG_ON_DEPRECATION #endif /* HAVE_LIBCRYPTO */