X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/436ced3bd83f6b3a5b4a206538c56189837add59..b07acab03ae9f76fe822ff9239d705f48efd270d:/print-rsvp.c?ds=inline diff --git a/print-rsvp.c b/print-rsvp.c index 93f6d670..438761ea 100644 --- a/print-rsvp.c +++ b/print-rsvp.c @@ -12,9 +12,11 @@ * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE. * - * Original code by Hannes Gredler (hannes@juniper.net) + * Original code by Hannes Gredler (hannes@gredler.at) */ +/* \summary: Resource ReSerVation Protocol (RSVP) printer */ + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -497,6 +499,7 @@ rsvp_intserv_print(netdissect_options *ndo, if (obj_tlen < 4) return 0; + ND_TCHECK_8BITS(tptr); parameter_id = *(tptr); ND_TCHECK2(*(tptr + 2), 2); parameter_length = EXTRACT_16BITS(tptr+2)<<2; /* convert wordcount to bytecount */ @@ -519,9 +522,10 @@ rsvp_intserv_print(netdissect_options *ndo, * | IS hop cnt (32-bit unsigned integer) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - if (parameter_length == 4) + if (parameter_length == 4) { ND_TCHECK2(*(tptr + 4), 4); ND_PRINT((ndo, "\n\t\tIS hop count: %u", EXTRACT_32BITS(tptr + 4))); + } break; case 6: @@ -566,9 +570,10 @@ rsvp_intserv_print(netdissect_options *ndo, * | Composed MTU (32-bit unsigned integer) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - if (parameter_length == 4) + if (parameter_length == 4) { ND_TCHECK2(*(tptr + 4), 4); ND_PRINT((ndo, "\n\t\tComposed MTU: %u bytes", EXTRACT_32BITS(tptr + 4))); + } break; case 127: /* @@ -623,9 +628,10 @@ rsvp_intserv_print(netdissect_options *ndo, case 134: case 135: case 136: - if (parameter_length == 4) + if (parameter_length == 4) { ND_TCHECK2(*(tptr + 4), 4); ND_PRINT((ndo, "\n\t\tValue: %u", EXTRACT_32BITS(tptr + 4))); + } break; default: @@ -1061,20 +1067,37 @@ rsvp_obj_print(netdissect_options *ndo, switch(rsvp_obj_ctype) { case RSVP_CTYPE_IPV4: while(obj_tlen >= 4 ) { + u_char length; + + ND_TCHECK2(*obj_tptr, 4); + length = *(obj_tptr + 1); ND_PRINT((ndo, "%s Subobject Type: %s, length %u", ident, tok2str(rsvp_obj_xro_values, "Unknown %u", RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)), - *(obj_tptr + 1))); + length)); - if (*(obj_tptr+1) == 0) { /* prevent infinite loops */ + if (length == 0) { /* prevent infinite loops */ ND_PRINT((ndo, "%s ERROR: zero length ERO subtype", ident)); break; } switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) { + u_char prefix_length; + case RSVP_OBJ_XRO_IPV4: + if (length != 8) { + ND_PRINT((ndo, " ERROR: length != 8")); + goto invalid; + } + ND_TCHECK2(*obj_tptr, 8); + prefix_length = *(obj_tptr+6); + if (prefix_length != 32) { + ND_PRINT((ndo, " ERROR: Prefix length %u != 32", + prefix_length)); + goto invalid; + } ND_PRINT((ndo, ", %s, %s/%u, Flags: [%s]", RSVP_OBJ_XRO_MASK_LOOSE(*obj_tptr) ? "Loose" : "Strict", ipaddr_string(ndo, obj_tptr+2), @@ -1084,6 +1107,11 @@ rsvp_obj_print(netdissect_options *ndo, *(obj_tptr + 7)))); /* rfc3209 says that this field is rsvd. */ break; case RSVP_OBJ_XRO_LABEL: + if (length != 8) { + ND_PRINT((ndo, " ERROR: length != 8")); + goto invalid; + } + ND_TCHECK2(*obj_tptr, 8); ND_PRINT((ndo, ", Flags: [%s] (%#x), Class-Type: %s (%u), %u", bittok2str(rsvp_obj_rro_label_flag_values, "none", @@ -1178,6 +1206,17 @@ rsvp_obj_print(netdissect_options *ndo, /* read variable length subobjects */ total_subobj_len = obj_tlen; while(total_subobj_len > 0) { + /* If RFC 3476 Section 3.1 defined that a sub-object of the + * GENERALIZED_UNI RSVP object must have the Length field as + * a multiple of 4, instead of the check below it would be + * better to test total_subobj_len only once before the loop. + * So long as it does not define it and this while loop does + * not implement such a requirement, let's accept that within + * each iteration subobj_len may happen to be a multiple of 1 + * and test it and total_subobj_len respectively. + */ + if (total_subobj_len < 4) + goto invalid; subobj_len = EXTRACT_16BITS(obj_tptr); subobj_type = (EXTRACT_16BITS(obj_tptr+2))>>8; af = (EXTRACT_16BITS(obj_tptr+2))&0x00FF; @@ -1189,7 +1228,13 @@ rsvp_obj_print(netdissect_options *ndo, tok2str(af_values, "Unknown", af), af, subobj_len)); - if(subobj_len == 0) + /* In addition to what is explained above, the same spec does not + * explicitly say that the same Length field includes the 4-octet + * sub-object header, but as long as this while loop implements it + * as it does include, let's keep the check below consistent with + * the rest of the code. + */ + if(subobj_len < 4 || subobj_len > total_subobj_len) goto invalid; switch(subobj_type) { @@ -1445,12 +1490,12 @@ rsvp_obj_print(netdissect_options *ndo, case RSVP_OBJ_FASTREROUTE: /* the differences between c-type 1 and 7 are minor */ obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr; - bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); switch(rsvp_obj_ctype) { case RSVP_CTYPE_1: /* new style */ if (obj_tlen < sizeof(struct rsvp_obj_frr_t)) return-1; + bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio, @@ -1469,6 +1514,7 @@ rsvp_obj_print(netdissect_options *ndo, case RSVP_CTYPE_TUNNEL_IPV4: /* old style */ if (obj_tlen < 16) return-1; + bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth); ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps", ident, (int)obj_ptr.rsvp_obj_frr->setup_prio, @@ -1509,6 +1555,7 @@ rsvp_obj_print(netdissect_options *ndo, case RSVP_OBJ_CLASSTYPE_OLD: /* fall through */ switch(rsvp_obj_ctype) { case RSVP_CTYPE_1: + ND_TCHECK_32BITS(obj_tptr); ND_PRINT((ndo, "%s CT: %u", ident, EXTRACT_32BITS(obj_tptr) & 0x7));