X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/306c2a0384af923a73bf234f3c8bc186ceff0b58..5ef0bcb5edd748de9d9af13c40da0395dfdd94e8:/print-ospf.c diff --git a/print-ospf.c b/print-ospf.c index 43f9dcc2..09876377 100644 --- a/print-ospf.c +++ b/print-ospf.c @@ -301,13 +301,12 @@ ospf_te_lsa_print(netdissect_options *ndo, switch(tlv_type) { case LS_OPAQUE_TE_TLV_LINK: - while (tlv_length >= sizeof(subtlv_type) + sizeof(subtlv_length)) { + while (tlv_length != 0) { if (tlv_length < 4) { ND_PRINT("\n\t Remaining TLV length %u < 4", tlv_length); return -1; } - ND_TCHECK_4(tptr); subtlv_type = GET_BE_U_2(tptr); subtlv_length = GET_BE_U_2(tptr + 2); tptr+=4; @@ -322,6 +321,11 @@ ospf_te_lsa_print(netdissect_options *ndo, subtlv_type, subtlv_length); + if (tlv_length < subtlv_length) { + ND_PRINT("\n\t Remaining TLV length %u < %u", + tlv_length + 4, subtlv_length + 4); + return -1; + } ND_TCHECK_LEN(tptr, subtlv_length); switch(subtlv_type) { case LS_OPAQUE_TE_LINK_SUBTLV_ADMIN_GROUP: @@ -471,6 +475,11 @@ ospf_te_lsa_print(netdissect_options *ndo, if (subtlv_length%4 != 0) subtlv_length+=4-(subtlv_length%4); + if (tlv_length < subtlv_length) { + ND_PRINT("\n\t Remaining TLV length %u < %u", + tlv_length + 4, subtlv_length + 4); + return -1; + } tlv_length-=subtlv_length; tptr+=subtlv_length; @@ -482,7 +491,6 @@ ospf_te_lsa_print(netdissect_options *ndo, ND_PRINT("\n\t TLV length %u < 4", tlv_length); return -1; } - ND_TCHECK_4(tptr); ND_PRINT(", %s", GET_IPADDR_STRING(tptr)); break; @@ -496,6 +504,11 @@ ospf_te_lsa_print(netdissect_options *ndo, /* in OSPF everything has to be 32-bit aligned, including TLVs */ if (tlv_length%4 != 0) tlv_length+=4-(tlv_length%4); + if (tlv_length > ls_length) { + ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length, + ls_length); + return -1; + } ls_length-=tlv_length; tptr+=tlv_length; } @@ -514,22 +527,17 @@ ospf_print_lshdr(netdissect_options *ndo, u_int ls_type; u_int ls_length; - ND_TCHECK_2(lshp->ls_length); ls_length = GET_BE_U_2(lshp->ls_length); if (ls_length < sizeof(struct lsa_hdr)) { ND_PRINT("\n\t Bogus length %u < header (%zu)", ls_length, sizeof(struct lsa_hdr)); return(-1); } - - ND_TCHECK_4(lshp->ls_seq); /* XXX - ls_length check checked this */ ND_PRINT("\n\t Advertising Router %s, seq 0x%08x, age %us, length %u", GET_IPADDR_STRING(lshp->ls_router), GET_BE_U_4(lshp->ls_seq), GET_BE_U_2(lshp->ls_age), ls_length - (u_int)sizeof(struct lsa_hdr)); - - ND_TCHECK_1(lshp->ls_type); /* XXX - ls_length check checked this */ ls_type = GET_U_1(lshp->ls_type); switch (ls_type) { /* the LSA header for opaque LSAs was slightly changed */ @@ -557,14 +565,10 @@ ospf_print_lshdr(netdissect_options *ndo, GET_IPADDR_STRING(lshp->un_lsa_id.lsa_id)); break; } - - ND_TCHECK_1(lshp->ls_options); /* XXX - ls_length check checked this */ ND_PRINT("\n\t Options: [%s]", bittok2str(ospf_option_values, "none", GET_U_1(lshp->ls_options))); return (ls_length); -trunc: - return (-1); } /* draft-ietf-ospf-mt-09 */ @@ -624,29 +628,33 @@ ospf_print_lsa(netdissect_options *ndo, const struct aslametric *almp; const struct mcla *mcp; const uint8_t *lp; - int j, tlv_type, tlv_length, topology; - int ls_length; + u_int tlv_type, tlv_length, rla_count, topology; + int ospf_print_lshdr_ret; + u_int ls_length; const uint8_t *tptr; tptr = (const uint8_t *)lsap->lsa_un.un_unknown; /* squelch compiler warnings */ - ls_length = ospf_print_lshdr(ndo, &lsap->ls_hdr); - if (ls_length == -1) - return(NULL); + ospf_print_lshdr_ret = ospf_print_lshdr(ndo, &lsap->ls_hdr); + if (ospf_print_lshdr_ret < 0) + return(NULL); + ls_length = (u_int)ospf_print_lshdr_ret; ls_end = (const uint8_t *)lsap + ls_length; + /* + * ospf_print_lshdr() returns -1 if the length is too short, + * so we know ls_length is >= sizeof(struct lsa_hdr). + */ ls_length -= sizeof(struct lsa_hdr); switch (GET_U_1(lsap->ls_hdr.ls_type)) { case LS_TYPE_ROUTER: - ND_TCHECK_1(lsap->lsa_un.un_rla.rla_flags); ND_PRINT("\n\t Router LSA Options: [%s]", bittok2str(ospf_rla_flag_values, "none", GET_U_1(lsap->lsa_un.un_rla.rla_flags))); - ND_TCHECK_2(lsap->lsa_un.un_rla.rla_count); - j = GET_BE_U_2(lsap->lsa_un.un_rla.rla_count); + rla_count = GET_BE_U_2(lsap->lsa_un.un_rla.rla_count); ND_TCHECK_SIZE(lsap->lsa_un.un_rla.rla_link); rlp = lsap->lsa_un.un_rla.rla_link; - while (j--) { + for (u_int i = rla_count; i != 0; i--) { ND_TCHECK_SIZE(rlp); switch (GET_U_1(rlp->un_tos.link.link_type)) { @@ -689,7 +697,6 @@ ospf_print_lsa(netdissect_options *ndo, break; case LS_TYPE_NETWORK: - ND_TCHECK_4(lsap->lsa_un.un_nla.nla_mask); ND_PRINT("\n\t Mask %s\n\t Connected Routers:", GET_IPADDR_STRING(lsap->lsa_un.un_nla.nla_mask)); ap = lsap->lsa_un.un_nla.nla_router; @@ -709,7 +716,6 @@ ospf_print_lsa(netdissect_options *ndo, while (lp < ls_end) { uint32_t ul; - ND_TCHECK_4(lp); ul = GET_BE_U_4(lp); topology = (ul & SLA_MASK_TOS) >> SLA_SHIFT_TOS; ND_PRINT("\n\t\ttopology %s (%u) metric %u", @@ -726,7 +732,6 @@ ospf_print_lsa(netdissect_options *ndo, while (lp < ls_end) { uint32_t ul; - ND_TCHECK_4(lp); ul = GET_BE_U_4(lp); topology = (ul & SLA_MASK_TOS) >> SLA_SHIFT_TOS; ND_PRINT("\n\t\ttopology %s (%u) metric %u", @@ -748,7 +753,6 @@ ospf_print_lsa(netdissect_options *ndo, while ((const u_char *)almp < ls_end) { uint32_t ul; - ND_TCHECK_4(almp->asla_tosmetric); ul = GET_BE_U_4(almp->asla_tosmetric); topology = ((ul & ASLA_MASK_TOS) >> ASLA_SHIFT_TOS); ND_PRINT("\n\t\ttopology %s (%u), type %u, metric", @@ -760,11 +764,9 @@ ospf_print_lsa(netdissect_options *ndo, else ND_PRINT(" %u", (ul & ASLA_MASK_METRIC)); - ND_TCHECK_4(almp->asla_forward); if (GET_IPV4_TO_NETWORK_ORDER(almp->asla_forward) != 0) { ND_PRINT(", forward %s", GET_IPADDR_STRING(almp->asla_forward)); } - ND_TCHECK_4(almp->asla_tag); if (GET_IPV4_TO_NETWORK_ORDER(almp->asla_tag) != 0) { ND_PRINT(", tag %s", GET_IPADDR_STRING(almp->asla_tag)); } @@ -776,7 +778,6 @@ ospf_print_lsa(netdissect_options *ndo, /* Multicast extensions as of 23 July 1991 */ mcp = lsap->lsa_un.un_mcla; while ((const u_char *)mcp < ls_end) { - ND_TCHECK_4(mcp->mcla_vid); switch (GET_BE_U_4(mcp->mcla_vtype)) { case MCLA_VERTEX_ROUTER: @@ -806,25 +807,26 @@ ospf_print_lsa(netdissect_options *ndo, case LS_OPAQUE_TYPE_RI: tptr = (const uint8_t *)(lsap->lsa_un.un_ri_tlv); - while (ls_length != 0) { + u_int ls_length_remaining = ls_length; + while (ls_length_remaining != 0) { ND_TCHECK_4(tptr); - if (ls_length < 4) { - ND_PRINT("\n\t Remaining LS length %u < 4", ls_length); + if (ls_length_remaining < 4) { + ND_PRINT("\n\t Remaining LS length %u < 4", ls_length_remaining); return(ls_end); } tlv_type = GET_BE_U_2(tptr); tlv_length = GET_BE_U_2(tptr + 2); tptr+=4; - ls_length-=4; + ls_length_remaining-=4; ND_PRINT("\n\t %s TLV (%u), length: %u, value: ", tok2str(lsa_opaque_ri_tlv_values,"unknown",tlv_type), tlv_type, tlv_length); - if (tlv_length > ls_length) { - ND_PRINT("\n\t Bogus length %u > %u", tlv_length, - ls_length); + if (tlv_length > ls_length_remaining) { + ND_PRINT("\n\t Bogus length %u > remaining LS length %u", tlv_length, + ls_length_remaining); return(ls_end); } ND_TCHECK_LEN(tptr, tlv_length); @@ -847,7 +849,7 @@ ospf_print_lsa(netdissect_options *ndo, } tptr+=tlv_length; - ls_length-=tlv_length; + ls_length_remaining-=tlv_length; } break; @@ -926,24 +928,19 @@ ospf_decode_lls(netdissect_options *ndo, ND_PRINT("\n\t[LLS truncated]"); return (1); } - ND_TCHECK_2(dptr); ND_PRINT("\n\t LLS: checksum: 0x%04x", (u_int) GET_BE_U_2(dptr)); dptr += 2; - ND_TCHECK_2(dptr); length2 = GET_BE_U_2(dptr); ND_PRINT(", length: %u", length2); dptr += 2; - ND_TCHECK_1(dptr); while (dptr < dataend) { - ND_TCHECK_2(dptr); lls_type = GET_BE_U_2(dptr); ND_PRINT("\n\t %s (%u)", tok2str(ospf_lls_tlv_values,"Unknown TLV",lls_type), lls_type); dptr += 2; - ND_TCHECK_2(dptr); lls_len = GET_BE_U_2(dptr); ND_PRINT(", length: %u", lls_len); dptr += 2; @@ -954,7 +951,6 @@ ospf_decode_lls(netdissect_options *ndo, ND_PRINT(" [should be 4]"); lls_len = 4; } - ND_TCHECK_4(dptr); lls_flags = GET_BE_U_4(dptr); ND_PRINT("\n\t Options: 0x%08x [%s]", lls_flags, bittok2str(ospf_lls_eo_options, "?", lls_flags)); @@ -966,7 +962,6 @@ ospf_decode_lls(netdissect_options *ndo, ND_PRINT(" [should be 20]"); lls_len = 20; } - ND_TCHECK_4(dptr); ND_PRINT("\n\t Sequence number: 0x%08x", GET_BE_U_4(dptr)); break; } @@ -975,8 +970,6 @@ ospf_decode_lls(netdissect_options *ndo, } return (0); -trunc: - return (1); } static int @@ -992,23 +985,19 @@ ospf_decode_v2(netdissect_options *ndo, switch (GET_U_1(op->ospf_type)) { case OSPF_TYPE_HELLO: - ND_TCHECK_1(op->ospf_hello.hello_options); ND_PRINT("\n\tOptions [%s]", bittok2str(ospf_option_values,"none",GET_U_1(op->ospf_hello.hello_options))); - ND_TCHECK_4(op->ospf_hello.hello_deadint); ND_PRINT("\n\t Hello Timer %us, Dead Timer %us, Mask %s, Priority %u", GET_BE_U_2(op->ospf_hello.hello_helloint), GET_BE_U_4(op->ospf_hello.hello_deadint), GET_IPADDR_STRING(op->ospf_hello.hello_mask), GET_U_1(op->ospf_hello.hello_priority)); - ND_TCHECK_4(op->ospf_hello.hello_dr); if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_hello.hello_dr) != 0) ND_PRINT("\n\t Designated Router %s", GET_IPADDR_STRING(op->ospf_hello.hello_dr)); - ND_TCHECK_4(op->ospf_hello.hello_bdr); if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_hello.hello_bdr) != 0) ND_PRINT(", Backup Designated Router %s", GET_IPADDR_STRING(op->ospf_hello.hello_bdr)); @@ -1024,18 +1013,14 @@ ospf_decode_v2(netdissect_options *ndo, break; /* HELLO */ case OSPF_TYPE_DD: - ND_TCHECK_1(op->ospf_db.db_options); ND_PRINT("\n\tOptions [%s]", bittok2str(ospf_option_values, "none", GET_U_1(op->ospf_db.db_options))); - ND_TCHECK_1(op->ospf_db.db_flags); ND_PRINT(", DD Flags [%s]", bittok2str(ospf_dd_flag_values, "none", GET_U_1(op->ospf_db.db_flags))); - ND_TCHECK_2(op->ospf_db.db_ifmtu); if (GET_BE_U_2(op->ospf_db.db_ifmtu)) { ND_PRINT(", MTU: %u", GET_BE_U_2(op->ospf_db.db_ifmtu)); } - ND_TCHECK_4(op->ospf_db.db_seq); ND_PRINT(", Sequence: 0x%08x", GET_BE_U_4(op->ospf_db.db_seq)); /* Print all the LS adv's */ @@ -1077,7 +1062,6 @@ ospf_decode_v2(netdissect_options *ndo, case OSPF_TYPE_LS_UPDATE: lsap = op->ospf_lsu.lsu_lsa; - ND_TCHECK_4(op->ospf_lsu.lsu_count); lsa_count_max = GET_BE_U_4(op->ospf_lsu.lsu_count); ND_PRINT(", %u LSA%s", lsa_count_max, PLURAL_SUFFIX(lsa_count_max)); for (lsa_count=1;lsa_count <= lsa_count_max;lsa_count++) { @@ -1116,7 +1100,6 @@ ospf_print(netdissect_options *ndo, op = (const struct ospfhdr *)bp; /* XXX Before we do anything else, strip off the MD5 trailer */ - ND_TCHECK_2(op->ospf_authtype); if (GET_BE_U_2(op->ospf_authtype) == OSPF_AUTH_MD5) { length -= OSPF_AUTH_MD5_LEN; ndo->ndo_snapend -= OSPF_AUTH_MD5_LEN; @@ -1124,7 +1107,6 @@ ospf_print(netdissect_options *ndo, /* If the type is valid translate it, or just print the type */ /* value. If it's not valid, say so and return */ - ND_TCHECK_1(op->ospf_type); cp = tok2str(type2str, "unknown LS-type %u", GET_U_1(op->ospf_type)); ND_PRINT("OSPFv%u, %s, length %u", GET_U_1(op->ospf_version), cp, length); @@ -1135,7 +1117,6 @@ ospf_print(netdissect_options *ndo, return; } - ND_TCHECK_2(op->ospf_len); if (length != GET_BE_U_2(op->ospf_len)) { ND_PRINT(" [len %u]", GET_BE_U_2(op->ospf_len)); } @@ -1146,10 +1127,8 @@ ospf_print(netdissect_options *ndo, dataend = bp + length; } - ND_TCHECK_4(op->ospf_routerid); ND_PRINT("\n\tRouter-ID %s", GET_IPADDR_STRING(op->ospf_routerid)); - ND_TCHECK_4(op->ospf_areaid); if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_areaid) != 0) ND_PRINT(", Area %s", GET_IPADDR_STRING(op->ospf_areaid)); else