X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/aad6ac30ce7904f688226dbc61021ca4f907274f..refs/heads/coverity_scan:/print-ip.c

diff --git a/print-ip.c b/print-ip.c
index 8dab9443..9621dada 100644
--- a/print-ip.c
+++ b/print-ip.c
@@ -21,14 +21,10 @@
 
 /* \summary: IP printer */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include "netdissect-stdinc.h"
 
-#include <string.h>
-
 #include "netdissect.h"
 #include "addrtoname.h"
 #include "extract.h"
@@ -71,11 +67,15 @@ ip_printroute(netdissect_options *ndo,
 		ND_PRINT(" [bad ptr %u]", GET_U_1(cp + 2));
 
 	for (len = 3; len < length; len += 4) {
+		ND_TCHECK_4(cp + len);	/* Needed to print the IP addresses */
 		ND_PRINT(" %s", GET_IPADDR_STRING(cp + len));
 		if (ptr > len)
 			ND_PRINT(",");
 	}
 	return (0);
+
+trunc:
+	return (-1);
 }
 
 /*
@@ -190,16 +190,7 @@ ip_printts(netdissect_options *ndo,
 	case IPOPT_TS_TSANDADDR:
 		ND_PRINT("TS+ADDR");
 		break;
-	/*
-	 * prespecified should really be 3, but some ones might send 2
-	 * instead, and the IPOPT_TS_PRESPEC constant can apparently
-	 * have both values, so we have to hard-code it here.
-	 */
-
-	case 2:
-		ND_PRINT("PRESPEC2.0");
-		break;
-	case 3:			/* IPOPT_TS_PRESPEC */
+	case IPOPT_TS_PRESPEC:
 		ND_PRINT("PRESPEC");
 		break;
 	default:
@@ -325,7 +316,7 @@ static const struct tok ip_frag_values[] = {
 void
 ip_print(netdissect_options *ndo,
 	 const u_char *bp,
-	 u_int length)
+	 const u_int length)
 {
 	const struct ip *ip;
 	u_int off;
@@ -336,55 +327,45 @@ ip_print(netdissect_options *ndo,
 	uint16_t sum, ip_sum;
 	const char *p_name;
 	int truncated = 0;
+	int presumed_tso = 0;
 
 	ndo->ndo_protocol = "ip";
 	ip = (const struct ip *)bp;
-	if (IP_V(ip) != 4) { /* print version and fail if != 4 */
-	    if (IP_V(ip) == 6)
-	      ND_PRINT("IP6, wrong link-layer encapsulation");
-	    else
-	      ND_PRINT("IP%u", IP_V(ip));
-	    nd_print_invalid(ndo);
-	    return;
-	}
-	if (!ndo->ndo_eflag)
-		ND_PRINT("IP ");
 
-	ND_TCHECK_SIZE(ip);
-	if (length < sizeof (struct ip)) {
-		ND_PRINT("truncated-ip %u", length);
-		return;
+	if (!ndo->ndo_eflag) {
+		nd_print_protocol_caps(ndo);
+		ND_PRINT(" ");
 	}
+
+	ND_ICHECK_ZU(length, <, sizeof (struct ip));
+	ND_ICHECKMSG_U("version", IP_V(ip), !=, 4);
+
 	hlen = IP_HL(ip) * 4;
-	if (hlen < sizeof (struct ip)) {
-		ND_PRINT("bad-hlen %u", hlen);
-		return;
-	}
+	ND_ICHECKMSG_ZU("header length", hlen, <, sizeof (struct ip));
 
 	len = GET_BE_U_2(ip->ip_len);
-	if (length < len)
-		ND_PRINT("truncated-ip - %u bytes missing! ",
-			len - length);
-	if (len < hlen) {
-#ifdef GUESS_TSO
-            if (len) {
-                ND_PRINT("bad-len %u", len);
-                return;
-            }
-            else {
-                /* we guess that it is a TSO send */
-                len = length;
-            }
-#else
-            ND_PRINT("bad-len %u", len);
-            return;
-#endif /* GUESS_TSO */
+	if (len > length) {
+		ND_PRINT("[total length %u > length %u]", len, length);
+		nd_print_invalid(ndo);
+		ND_PRINT(" ");
 	}
+	if (len == 0) {
+		/* we guess that it is a TSO send */
+		len = length;
+		presumed_tso = 1;
+	} else
+		ND_ICHECKMSG_U("total length", len, <, hlen);
 
+	ND_TCHECK_SIZE(ip);
 	/*
-	 * Cut off the snapshot length to the end of the IP payload.
+	 * Cut off the snapshot length to the end of the IP payload
+	 * or the end of the data in which it's contained, whichever
+	 * comes first.
 	 */
-	nd_push_snapend(ndo, bp + len);
+	if (!nd_push_snaplen(ndo, bp, ND_MIN(length, len))) {
+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+			"%s: can't push snaplen on buffer stack", __func__);
+	}
 
 	len -= hlen;
 
@@ -430,9 +411,12 @@ ip_print(netdissect_options *ndo,
                          tok2str(ipproto_values, "unknown", ip_proto),
                          ip_proto);
 
-            ND_PRINT(", length %u", GET_BE_U_2(ip->ip_len));
+	    if (presumed_tso)
+                ND_PRINT(", length %u [was 0, presumed TSO]", length);
+	    else
+                ND_PRINT(", length %u", GET_BE_U_2(ip->ip_len));
 
-            if ((hlen - sizeof(struct ip)) > 0) {
+            if ((hlen > sizeof(struct ip))) {
                 ND_PRINT(", options (");
                 if (ip_optprint(ndo, (const u_char *)(ip + 1),
                     hlen - sizeof(struct ip)) == -1) {
@@ -442,7 +426,7 @@ ip_print(netdissect_options *ndo,
                 ND_PRINT(")");
             }
 
-	    if (!ndo->ndo_Kflag && (const u_char *)ip + hlen <= ndo->ndo_snapend) {
+	    if (!ndo->ndo_Kflag && ND_TTEST_LEN((const u_char *)ip, hlen)) {
 	        vec[0].ptr = (const uint8_t *)(const void *)ip;
 	        vec[0].len = hlen;
 	        sum = in_cksum(vec, 1);
@@ -478,8 +462,18 @@ ip_print(netdissect_options *ndo,
 				     GET_IPADDR_STRING(ip->ip_src),
 				     GET_IPADDR_STRING(ip->ip_dst));
 		}
+		/*
+		 * Do a bounds check before calling ip_demux_print().
+		 * At least the header data is required.
+		 */
+		if (!ND_TTEST_LEN((const u_char *)ip, hlen)) {
+			ND_PRINT(" [remaining caplen(%u) < header length(%u)]",
+				 ND_BYTES_AVAILABLE_AFTER((const u_char *)ip),
+				 hlen);
+			nd_trunc_longjmp(ndo);
+		}
 		ip_demux_print(ndo, (const u_char *)ip + hlen, len, 4,
-		    off & IP_MF, GET_U_1(ip->ip_ttl), nh, bp);
+			       off & IP_MF, GET_U_1(ip->ip_ttl), nh, bp);
 	} else {
 		/*
 		 * Ultra quiet now means that all this stuff should be
@@ -508,6 +502,9 @@ ip_print(netdissect_options *ndo,
 trunc:
 	nd_print_trunc(ndo);
 	return;
+
+invalid:
+	nd_print_invalid(ndo);
 }
 
 void