X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/b3fb6a6c61e25ef8be56a2f1da7790a4e5ccd20b..1a04b92e365f5ed01ca38619b41bcc4fc9cbd63c:/print-isakmp.c diff --git a/print-isakmp.c b/print-isakmp.c index ed1e3a25..a2683ac6 100644 --- a/print-isakmp.c +++ b/print-isakmp.c @@ -428,7 +428,7 @@ struct notify_messages { char *msg; }; -/* 3.8 Notification Payload */ +/* 3.8 Authentication Payload */ struct ikev2_auth { struct isakmp_gen h; uint8_t auth_method; /* Protocol-ID */ @@ -862,7 +862,7 @@ hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) static int rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) { - ND_TCHECK2(*loc, len); + ND_TCHECK_LEN(loc, len); hexprint(ndo, loc, len); return 1; @@ -912,70 +912,98 @@ struct attrmap { static const u_char * ikev1_attrmap_print(netdissect_options *ndo, - const u_char *p, const u_char *ep, + const u_char *p, const u_char *ep2, const struct attrmap *map, size_t nmap) { int totlen; uint32_t t, v; - if (p[0] & 0x80) + ND_TCHECK_1(p); + if (EXTRACT_U_1(p) & 0x80) totlen = 4; - else - totlen = 4 + EXTRACT_16BITS(&p[2]); - if (ep < p + totlen) { + else { + ND_TCHECK_2(p + 2); + totlen = 4 + EXTRACT_BE_U_2(p + 2); + } + if (ep2 < p + totlen) { ND_PRINT((ndo,"[|attr]")); - return ep + 1; + return ep2 + 1; } + ND_TCHECK_2(p); ND_PRINT((ndo,"(")); - t = EXTRACT_16BITS(&p[0]) & 0x7fff; + t = EXTRACT_BE_U_2(p) & 0x7fff; if (map && t < nmap && map[t].type) ND_PRINT((ndo,"type=%s ", map[t].type)); else ND_PRINT((ndo,"type=#%d ", t)); - if (p[0] & 0x80) { + if (EXTRACT_U_1(p) & 0x80) { ND_PRINT((ndo,"value=")); - v = EXTRACT_16BITS(&p[2]); + ND_TCHECK_2(p + 2); + v = EXTRACT_BE_U_2(p + 2); if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) ND_PRINT((ndo,"%s", map[t].value[v])); - else - rawprint(ndo, (const uint8_t *)&p[2], 2); + else { + if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { + ND_PRINT((ndo,")")); + goto trunc; + } + } } else { - ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); - rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2])); + ND_PRINT((ndo,"len=%d value=", totlen - 4)); + if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { + ND_PRINT((ndo,")")); + goto trunc; + } } ND_PRINT((ndo,")")); return p + totlen; + +trunc: + return NULL; } static const u_char * -ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep) +ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) { int totlen; uint32_t t; - if (p[0] & 0x80) + ND_TCHECK_1(p); + if (EXTRACT_U_1(p) & 0x80) totlen = 4; - else - totlen = 4 + EXTRACT_16BITS(&p[2]); - if (ep < p + totlen) { + else { + ND_TCHECK_2(p + 2); + totlen = 4 + EXTRACT_BE_U_2(p + 2); + } + if (ep2 < p + totlen) { ND_PRINT((ndo,"[|attr]")); - return ep + 1; + return ep2 + 1; } + ND_TCHECK_2(p); ND_PRINT((ndo,"(")); - t = EXTRACT_16BITS(&p[0]) & 0x7fff; + t = EXTRACT_BE_U_2(p) & 0x7fff; ND_PRINT((ndo,"type=#%d ", t)); - if (p[0] & 0x80) { + if (EXTRACT_U_1(p) & 0x80) { ND_PRINT((ndo,"value=")); - t = p[2]; - rawprint(ndo, (const uint8_t *)&p[2], 2); + t = EXTRACT_U_1(p + 2); + if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { + ND_PRINT((ndo,")")); + goto trunc; + } } else { - ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); - rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2])); + ND_PRINT((ndo,"len=%d value=", totlen - 4)); + if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { + ND_PRINT((ndo,")")); + goto trunc; + } } ND_PRINT((ndo,")")); return p + totlen; + +trunc: + return NULL; } static const u_char * @@ -1020,7 +1048,7 @@ ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, np = (const u_char *)ext + sizeof(sa); if (sit != 0x01) { - ND_TCHECK2(*(ext + 1), sizeof(ident)); + ND_TCHECK_LEN(ext + 1, sizeof(ident)); UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident)); ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident))); np += sizeof(ident); @@ -1256,11 +1284,12 @@ ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, cp = (const u_char *)(p + 1); ep2 = (const u_char *)p + item_len; while (cp < ep && cp < ep2) { - if (map && nmap) { - cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, - map, nmap); - } else - cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); + if (map && nmap) + cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); + else + cp = ikev1_attr_print(ndo, cp, ep2); + if (cp == NULL) + goto trunc; } if (ep < ep2) ND_PRINT((ndo,"...")); @@ -1284,6 +1313,7 @@ ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, UNALIGNED_MEMCPY(&e, ext, sizeof(e)); ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1363,7 +1393,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, break; if (data == NULL) goto trunc; - ND_TCHECK2(*data, len); + ND_TCHECK_LEN(data, len); switch (doi_id.type) { case IPSECDOI_ID_IPV4_ADDR: if (len < 4) @@ -1378,7 +1408,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, int i; ND_PRINT((ndo," len=%d ", len)); for (i = 0; i < len; i++) - safeputchar(ndo, data[i]); + safeputchar(ndo, EXTRACT_U_1(data + i)); len = 0; break; } @@ -1391,7 +1421,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, mask = data + sizeof(struct in_addr); ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, ipaddr_string(ndo, data), - mask[0], mask[1], mask[2], mask[3])); + EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), + EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3))); } len = 0; break; @@ -1406,17 +1437,17 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, case IPSECDOI_ID_IPV6_ADDR_SUBNET: { const u_char *mask; - if (len < 20) - ND_PRINT((ndo," len=%d [bad: < 20]", len)); + if (len < 32) + ND_PRINT((ndo," len=%d [bad: < 32]", len)); else { mask = (const u_char *)(data + sizeof(struct in6_addr)); /*XXX*/ ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, ip6addr_string(ndo, data), - mask[0], mask[1], mask[2], mask[3], - mask[4], mask[5], mask[6], mask[7], - mask[8], mask[9], mask[10], mask[11], - mask[12], mask[13], mask[14], mask[15])); + EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3), + EXTRACT_U_1(mask + 4), EXTRACT_U_1(mask + 5), EXTRACT_U_1(mask + 6), EXTRACT_U_1(mask + 7), + EXTRACT_U_1(mask + 8), EXTRACT_U_1(mask + 9), EXTRACT_U_1(mask + 10), EXTRACT_U_1(mask + 11), + EXTRACT_U_1(mask + 12), EXTRACT_U_1(mask + 13), EXTRACT_U_1(mask + 14), EXTRACT_U_1(mask + 15))); } len = 0; break; @@ -1486,6 +1517,7 @@ ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, ND_PRINT((ndo," len=%d", item_len - 4)); ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); if (2 < ndo->ndo_vflag && 4 < item_len) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) goto trunc; @@ -1518,6 +1550,7 @@ ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, ND_PRINT((ndo," len=%d", item_len - 4)); ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); if (2 < ndo->ndo_vflag && 4 < item_len) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) goto trunc; @@ -1542,6 +1575,7 @@ ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, UNALIGNED_MEMCPY(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1566,6 +1600,7 @@ ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, UNALIGNED_MEMCPY(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1590,15 +1625,20 @@ ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, ND_TCHECK(*ext); UNALIGNED_MEMCPY(&e, ext, sizeof(e)); - ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4)); - if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { - ND_PRINT((ndo," ")); - if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { - ND_PRINT((ndo," ")); - if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep)) - goto trunc; + /* + * Our caller has ensured that the length is >= 4. + */ + ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4)); + if (ntohs(e.len) > 4) { + if (ndo->ndo_vflag > 2) { + ND_PRINT((ndo, " ")); + if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) + goto trunc; + } else if (ndo->ndo_vflag > 1) { + ND_PRINT((ndo, " ")); + if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep)) + goto trunc; + } } return (const u_char *)ext + ntohs(e.len); trunc: @@ -1609,8 +1649,8 @@ trunc: static const u_char * ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, uint32_t phase, uint32_t doi0 _U_, - uint32_t proto0 _U_, int depth) + const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, + uint32_t proto0 _U_, int depth _U_) { const struct ikev1_pl_n *p; struct ikev1_pl_n n; @@ -1712,35 +1752,44 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, ep2 = (const u_char *)p + item_len; if (cp < ep) { - ND_PRINT((ndo," orig=(")); switch (ntohs(n.type)) { case IPSECDOI_NTYPE_RESPONDER_LIFETIME: { const struct attrmap *map = oakley_t_map; size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); + ND_PRINT((ndo," attrs=(")); while (cp < ep && cp < ep2) { - cp = ikev1_attrmap_print(ndo, cp, - (ep < ep2) ? ep : ep2, map, nmap); + cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); + if (cp == NULL) { + ND_PRINT((ndo,")")); + goto trunc; + } } + ND_PRINT((ndo,")")); break; } case IPSECDOI_NTYPE_REPLAY_STATUS: + ND_PRINT((ndo," status=(")); ND_PRINT((ndo,"replay detection %sabled", - EXTRACT_32BITS(cp) ? "en" : "dis")); - break; - case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN: - if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA, - (const struct isakmp_gen *)cp, ep, phase, doi, proto, - depth) == NULL) - return NULL; + EXTRACT_BE_U_4(cp) ? "en" : "dis")); + ND_PRINT((ndo,")")); break; default: - /* NULL is dummy */ - isakmp_print(ndo, cp, - item_len - sizeof(*p) - n.spi_size, - NULL); + /* + * XXX - fill in more types here; see, for example, + * draft-ietf-ipsec-notifymsg-04. + */ + if (ndo->ndo_vflag > 3) { + ND_PRINT((ndo," data=(")); + if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) + goto trunc; + ND_PRINT((ndo,")")); + } else { + if (!ike_show_somedata(ndo, cp, ep)) + goto trunc; + } + break; } - ND_PRINT((ndo,")")); } return (const u_char *)ext + item_len; trunc: @@ -1807,6 +1856,7 @@ ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, UNALIGNED_MEMCPY(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1841,6 +1891,7 @@ ikev2_gen_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1915,10 +1966,11 @@ ikev2_t_print(netdissect_options *ndo, int tcount, ep2 = (const u_char *)p + item_len; while (cp < ep && cp < ep2) { if (map && nmap) { - cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, - map, nmap); + cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); } else - cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); + cp = ikev1_attr_print(ndo, cp, ep2); + if (cp == NULL) + goto trunc; } if (ep < ep2) ND_PRINT((ndo,"...")); @@ -1978,7 +2030,6 @@ ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, if (prop_length < sizeof(*ext)) goto toolong; ND_TCHECK(*ext); - UNALIGNED_MEMCPY(&e, ext, sizeof(e)); /* @@ -1993,7 +2044,7 @@ ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, if (prop_length < item_len) goto toolong; - ND_TCHECK2(*cp, item_len); + ND_TCHECK_LEN(cp, item_len); depth++; ND_PRINT((ndo,"\n")); @@ -2065,7 +2116,6 @@ ikev2_sa_print(netdissect_options *ndo, u_char tpay, if (sa_length < sizeof(*ext)) goto toolong; ND_TCHECK(*ext); - UNALIGNED_MEMCPY(&e, ext, sizeof(e)); /* @@ -2080,7 +2130,7 @@ ikev2_sa_print(netdissect_options *ndo, u_char tpay, if (sa_length < item_len) goto toolong; - ND_TCHECK2(*cp, item_len); + ND_TCHECK_LEN(cp, item_len); depth++; ND_PRINT((ndo,"\n")); @@ -2126,7 +2176,7 @@ ikev2_ke_print(netdissect_options *ndo, u_char tpay, const struct ikev2_ke *k; k = (const struct ikev2_ke *)ext; - ND_TCHECK(*ext); + ND_TCHECK(*k); UNALIGNED_MEMCPY(&ke, ext, sizeof(ke)); ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); @@ -2151,12 +2201,14 @@ ikev2_ID_print(netdissect_options *ndo, u_char tpay, uint32_t phase _U_, uint32_t doi _U_, uint32_t proto _U_, int depth _U_) { + const struct ikev2_id *idp; struct ikev2_id id; int id_len, idtype_len, i; unsigned int dumpascii, dumphex; const unsigned char *typedata; - ND_TCHECK(*ext); + idp = (const struct ikev2_id *)ext; + ND_TCHECK(*idp); UNALIGNED_MEMCPY(&id, ext, sizeof(id)); ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); @@ -2164,6 +2216,7 @@ ikev2_ID_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo," len=%d", id_len - 4)); if (2 < ndo->ndo_vflag && 4 < id_len) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4)) goto trunc; @@ -2206,10 +2259,10 @@ ikev2_ID_print(netdissect_options *ndo, u_char tpay, } if(dumpascii) { - ND_TCHECK2(*typedata, idtype_len); + ND_TCHECK_LEN(typedata, idtype_len); for(i=0; i= 4. + */ + ND_PRINT((ndo," len=%u method=%s", len-4, STR_OR_ID(a.auth_method, v2_auth))); - - if (1 < ndo->ndo_vflag && 4 < len) { - ND_PRINT((ndo," authdata=(")); - if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) - goto trunc; - ND_PRINT((ndo,") ")); - } else if(ndo->ndo_vflag && 4 < len) { - if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; + if (len > 4) { + if (ndo->ndo_vflag > 1) { + ND_PRINT((ndo, " authdata=(")); + if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) + goto trunc; + ND_PRINT((ndo, ") ")); + } else if (ndo->ndo_vflag) { + if (!ike_show_somedata(ndo, authdata, ep)) + goto trunc; + } } return (const u_char *)ext + len; @@ -2322,7 +2380,7 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, const struct ikev2_n *p; struct ikev2_n n; const u_char *cp; - u_char showspi, showdata, showsomedata; + u_char showspi, showsomedata; const char *notify_name; uint32_t type; @@ -2332,7 +2390,6 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); showspi = 1; - showdata = 0; showsomedata=0; notify_name=NULL; @@ -2446,7 +2503,6 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, notify_name = "cookie"; showspi = 1; showsomedata= 1; - showdata= 0; break; case IV2_NOTIFY_USE_TRANSPORT_MODE: @@ -2499,19 +2555,17 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, cp = (const u_char *)(p + 1) + n.spi_size; - if(3 < ndo->ndo_vflag) { - showdata = 1; - } - - if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) { - ND_PRINT((ndo," data=(")); - if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) - goto trunc; - - ND_PRINT((ndo,")")); + if (cp < ep) { + if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) { + ND_PRINT((ndo," data=(")); + if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) + goto trunc; - } else if(showsomedata && cp < ep) { - if(!ike_show_somedata(ndo, cp, ep)) goto trunc; + ND_PRINT((ndo,")")); + } else if (showsomedata) { + if (!ike_show_somedata(ndo, cp, ep)) + goto trunc; + } } return (const u_char *)ext + item_len; @@ -2548,12 +2602,14 @@ ikev2_vid_print(netdissect_options *ndo, u_char tpay, vid = (const u_char *)(ext+1); len = ntohs(e.len) - 4; - ND_TCHECK2(*vid, len); + ND_TCHECK_LEN(vid, len); for(i=0; indo_vflag && 4 < len) { + /* Print the entire payload in hex */ ND_PRINT((ndo," ")); if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -2618,7 +2674,7 @@ ikev2_e_print(netdissect_options *ndo, } dat = (const u_char *)(ext+1); - ND_TCHECK2(*dat, dlen); + ND_TCHECK_LEN(dat, dlen); #ifdef HAVE_LIBCRYPTO /* try to decypt it! */ @@ -2719,10 +2775,9 @@ ikev1_sub_print(netdissect_options *ndo, while (np) { ND_TCHECK(*ext); - UNALIGNED_MEMCPY(&e, ext, sizeof(e)); - ND_TCHECK2(*ext, ntohs(e.len)); + ND_TCHECK_LEN(ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n")); @@ -2769,7 +2824,7 @@ ikev1_print(netdissect_options *ndo, p = (const struct isakmp *)bp; ep = ndo->ndo_snapend; - phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; + phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2; if (phase == 1) ND_PRINT((ndo," phase %d", phase)); else @@ -2887,10 +2942,9 @@ ikev2_sub_print(netdissect_options *ndo, cp = (const u_char *)ext; while (np) { ND_TCHECK(*ext); - UNALIGNED_MEMCPY(&e, ext, sizeof(e)); - ND_TCHECK2(*ext, ntohs(e.len)); + ND_TCHECK_LEN(ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n")); @@ -2929,7 +2983,7 @@ ikev2_print(netdissect_options *ndo, p = (const struct isakmp *)bp; ep = ndo->ndo_snapend; - phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; + phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2; if (phase == 1) ND_PRINT((ndo, " parent_sa")); else @@ -3041,8 +3095,8 @@ isakmp_rfc3948_print(netdissect_options *ndo, const u_char *bp, u_int length, const u_char *bp2) { - - if(length == 1 && bp[0]==0xff) { + ND_TCHECK_1(bp); + if(length == 1 && EXTRACT_U_1(bp)==0xff) { ND_PRINT((ndo, "isakmp-nat-keep-alive")); return; } @@ -3050,11 +3104,13 @@ isakmp_rfc3948_print(netdissect_options *ndo, if(length < 4) { goto trunc; } + ND_TCHECK_1(bp + 3); /* * see if this is an IKE packet */ - if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { + if (EXTRACT_U_1(bp) == 0 && EXTRACT_U_1(bp + 1) == 0 && + EXTRACT_U_1(bp + 2) == 0 && EXTRACT_U_1(bp + 3) == 0) { ND_PRINT((ndo, "NONESP-encap: ")); isakmp_print(ndo, bp+4, length-4, bp2); return; @@ -3062,7 +3118,7 @@ isakmp_rfc3948_print(netdissect_options *ndo, /* must be an ESP packet */ { - int nh, enh, padlen; + u_int nh, enh, padlen; int advance; ND_PRINT((ndo, "UDP-encap: ")); @@ -3090,7 +3146,3 @@ trunc: * c-basic-offset: 8 * End: */ - - - -