X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/db7a7633e65ea66dacb40450d375c00d3f305408..refs/heads/master:/print-ip6.c

diff --git a/print-ip6.c b/print-ip6.c
index 2cc4e309..269b41fb 100644
--- a/print-ip6.c
+++ b/print-ip6.c
@@ -21,9 +21,7 @@
 
 /* \summary: IPv6 printer */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include "netdissect-stdinc.h"
 
@@ -44,7 +42,7 @@
  * calculation.
  */
 static void
-ip6_finddst(netdissect_options *ndo, struct in6_addr *dst,
+ip6_finddst(netdissect_options *ndo, nd_ipv6 *dst,
             const struct ip6_hdr *ip6)
 {
 	const u_char *cp;
@@ -77,7 +75,6 @@ ip6_finddst(netdissect_options *ndo, struct in6_addr *dst,
 			 * the header, in units of 8 octets, excluding
 			 * the first 8 octets.
 			 */
-			ND_TCHECK_2(cp);
 			advance = (GET_U_1(cp + 1) + 1) << 3;
 			nh = GET_U_1(cp);
 			break;
@@ -88,7 +85,6 @@ ip6_finddst(netdissect_options *ndo, struct in6_addr *dst,
 			 * marked as reserved, and the header is always
 			 * the same size.
 			 */
-			ND_TCHECK_1(cp);
 			advance = sizeof(struct ip6_frag);
 			nh = GET_U_1(cp);
 			break;
@@ -165,7 +161,7 @@ ip6_finddst(netdissect_options *ndo, struct in6_addr *dst,
 
 done:
 trunc:
-	UNALIGNED_MEMCPY(dst, dst_addr, sizeof(nd_ipv6));
+	GET_CPY_BYTES(dst, dst_addr, sizeof(nd_ipv6));
 }
 
 /*
@@ -177,8 +173,8 @@ nextproto6_cksum(netdissect_options *ndo,
 		 u_int len, u_int covlen, uint8_t next_proto)
 {
         struct {
-                struct in6_addr ph_src;
-                struct in6_addr ph_dst;
+                nd_ipv6 ph_src;
+                nd_ipv6 ph_dst;
                 uint32_t       ph_len;
                 uint8_t        ph_zero[3];
                 uint8_t        ph_nxt;
@@ -188,7 +184,7 @@ nextproto6_cksum(netdissect_options *ndo,
 
         /* pseudo-header */
         memset(&ph, 0, sizeof(ph));
-        UNALIGNED_MEMCPY(&ph.ph_src, ip6->ip6_src, sizeof (struct in6_addr));
+        GET_CPY_BYTES(&ph.ph_src, ip6->ip6_src, sizeof(nd_ipv6));
         nh = GET_U_1(ip6->ip6_nxt);
         switch (nh) {
 
@@ -207,8 +203,7 @@ nextproto6_cksum(netdissect_options *ndo,
                 break;
 
         default:
-                UNALIGNED_MEMCPY(&ph.ph_dst, ip6->ip6_dst,
-                                 sizeof (struct in6_addr));
+                GET_CPY_BYTES(&ph.ph_dst, ip6->ip6_dst, sizeof(nd_ipv6));
                 break;
         }
         ph.ph_len = htonl(len);
@@ -234,28 +229,23 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	u_int total_advance;
 	const u_char *cp;
 	uint32_t payload_len;
-	uint8_t nh;
+	uint8_t ph, nh;
 	int fragmented = 0;
 	u_int flow;
 	int found_extension_header;
 	int found_jumbo;
+	int found_hbh;
 
 	ndo->ndo_protocol = "ip6";
 	ip6 = (const struct ip6_hdr *)bp;
 
-	ND_TCHECK_SIZE(ip6);
-	if (length < sizeof (struct ip6_hdr)) {
-		ND_PRINT("truncated-ip6 %u", length);
-		return;
+	if (!ndo->ndo_eflag) {
+		nd_print_protocol_caps(ndo);
+		ND_PRINT(" ");
 	}
 
-        if (!ndo->ndo_eflag)
-            ND_PRINT("IP6 ");
-
-	if (IP6_VERSION(ip6) != 6) {
-          ND_PRINT("version error: %u != 6", IP6_VERSION(ip6));
-          return;
-	}
+	ND_ICHECK_ZU(length, <, sizeof (struct ip6_hdr));
+	ND_ICHECKMSG_U("version", IP6_VERSION(ip6), !=, 6);
 
 	payload_len = GET_BE_U_2(ip6->ip6_plen);
 	/*
@@ -282,41 +272,43 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	 */
 	if (payload_len != 0) {
 		len = payload_len + sizeof(struct ip6_hdr);
-		if (length < len)
-			ND_PRINT("truncated-ip6 - %u bytes missing!",
-				len - length);
+		if (len > length) {
+			ND_PRINT("[header+payload length %u > length %u]",
+				 len, length);
+			nd_print_invalid(ndo);
+			ND_PRINT(" ");
+		}
 	} else
 		len = length + sizeof(struct ip6_hdr);
 
-        nh = GET_U_1(ip6->ip6_nxt);
-        if (ndo->ndo_vflag) {
-            flow = GET_BE_U_4(ip6->ip6_flow);
-            ND_PRINT("(");
-#if 0
-            /* rfc1883 */
-            if (flow & 0x0f000000)
-		ND_PRINT("pri 0x%02x, ", (flow & 0x0f000000) >> 24);
-            if (flow & 0x00ffffff)
-		ND_PRINT("flowlabel 0x%06x, ", flow & 0x00ffffff);
-#else
-            /* RFC 2460 */
-            if (flow & 0x0ff00000)
-		ND_PRINT("class 0x%02x, ", (flow & 0x0ff00000) >> 20);
-            if (flow & 0x000fffff)
-		ND_PRINT("flowlabel 0x%05x, ", flow & 0x000fffff);
-#endif
-
-            ND_PRINT("hlim %u, next-header %s (%u) payload length: %u) ",
-                         GET_U_1(ip6->ip6_hlim),
-                         tok2str(ipproto_values,"unknown",nh),
-                         nh,
-                         payload_len);
-        }
+	ph = 255;
+	nh = GET_U_1(ip6->ip6_nxt);
+	if (ndo->ndo_vflag) {
+	    flow = GET_BE_U_4(ip6->ip6_flow);
+	    ND_PRINT("(");
+	    /* RFC 2460 */
+	    if (flow & 0x0ff00000)
+	        ND_PRINT("class 0x%02x, ", (flow & 0x0ff00000) >> 20);
+	    if (flow & 0x000fffff)
+	        ND_PRINT("flowlabel 0x%05x, ", flow & 0x000fffff);
+
+	    ND_PRINT("hlim %u, next-header %s (%u), payload length %u) ",
+	                 GET_U_1(ip6->ip6_hlim),
+	                 tok2str(ipproto_values,"unknown",nh),
+	                 nh,
+	                 payload_len);
+	}
+	ND_TCHECK_SIZE(ip6);
 
 	/*
-	 * Cut off the snapshot length to the end of the IP payload.
+	 * Cut off the snapshot length to the end of the IP payload
+	 * or the end of the data in which it's contained, whichever
+	 * comes first.
 	 */
-	nd_push_snapend(ndo, bp + len);
+	if (!nd_push_snaplen(ndo, bp, ND_MIN(length, len))) {
+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+			"%s: can't push snaplen on buffer stack", __func__);
+	}
 
 	cp = (const u_char *)ip6;
 	advance = sizeof(struct ip6_hdr);
@@ -324,6 +316,7 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	/* Process extension headers */
 	found_extension_header = 0;
 	found_jumbo = 0;
+	found_hbh = 0;
 	while (cp < ndo->ndo_snapend && advance > 0) {
 		if (len < (u_int)advance)
 			goto trunc;
@@ -334,19 +327,39 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 		if (cp == (const u_char *)(ip6 + 1) &&
 		    nh != IPPROTO_TCP && nh != IPPROTO_UDP &&
 		    nh != IPPROTO_DCCP && nh != IPPROTO_SCTP) {
-			ND_PRINT("%s > %s: ", ip6addr_string(ndo, ip6->ip6_src),
-				     ip6addr_string(ndo, ip6->ip6_dst));
+			ND_PRINT("%s > %s: ", GET_IP6ADDR_STRING(ip6->ip6_src),
+				 GET_IP6ADDR_STRING(ip6->ip6_dst));
 		}
 
 		switch (nh) {
 
 		case IPPROTO_HOPOPTS:
+			/*
+			 * The Hop-by-Hop Options header, when present,
+			 * must immediately follow the IPv6 header (RFC 8200)
+			 */
+			if (found_hbh == 1) {
+				ND_PRINT("[The Hop-by-Hop Options header was already found]");
+				nd_print_invalid(ndo);
+				return;
+			}
+			if (ph != 255) {
+				ND_PRINT("[The Hop-by-Hop Options header don't follow the IPv6 header]");
+				nd_print_invalid(ndo);
+				return;
+			}
 			advance = hbhopt_process(ndo, cp, &found_jumbo, &payload_len);
+			if (payload_len == 0 && found_jumbo == 0) {
+				ND_PRINT("[No valid Jumbo Payload Hop-by-Hop option found]");
+				nd_print_invalid(ndo);
+				return;
+			}
 			if (advance < 0) {
 				nd_pop_packet_info(ndo);
 				return;
 			}
 			found_extension_header = 1;
+			found_hbh = 1;
 			nh = GET_U_1(cp);
 			break;
 
@@ -374,10 +387,10 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 		case IPPROTO_MOBILITY_OLD:
 		case IPPROTO_MOBILITY:
 			/*
-			 * XXX - we don't use "advance"; RFC 3775 says that
+			 * RFC 3775 says that
 			 * the next header field in a mobility header
 			 * should be IPPROTO_NONE, but speaks of
-			 * the possiblity of a future extension in
+			 * the possibility of a future extension in
 			 * which payload can be piggybacked atop a
 			 * mobility header.
 			 */
@@ -413,12 +426,21 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 				 * Set the length to the payload length
 				 * plus the IPv6 header length, and
 				 * change the snapshot length accordingly.
+				 *
+				 * But make sure it's not shorter than
+				 * the total number of bytes we've
+				 * processed so far.
 				 */
 				len = payload_len + sizeof(struct ip6_hdr);
-				if (length < len)
-					ND_PRINT("truncated-ip6 - %u bytes missing!",
-						len - length);
-				nd_change_snapend(ndo, bp + len);
+				if (len < total_advance)
+					goto trunc;
+				if (len > length) {
+					ND_PRINT("[header+payload length %u > length %u]",
+						 len, length);
+					nd_print_invalid(ndo);
+					ND_PRINT(" ");
+				}
+				nd_change_snaplen(ndo, bp, len);
 
 				/*
 				 * Now subtract the length of the IPv6
@@ -443,7 +465,7 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 						goto trunc;
 
 					/*
-					 * OK, we didn't see any extnesion
+					 * OK, we didn't see any extension
 					 * header, but that means we have
 					 * no payload, so set the length
 					 * to the IPv6 header length,
@@ -451,7 +473,7 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 					 * accordingly.
 					 */
 					len = sizeof(struct ip6_hdr);
-					nd_change_snapend(ndo, bp + len);
+					nd_change_snaplen(ndo, bp, len);
 
 					/*
 					 * Now subtract the length of
@@ -463,11 +485,12 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 					len -= total_advance;
 				}
 			}
-			ip_print_demux(ndo, cp, len, 6, fragmented,
-			    GET_U_1(ip6->ip6_hlim), nh, bp);
+			ip_demux_print(ndo, cp, len, 6, fragmented,
+				       GET_U_1(ip6->ip6_hlim), nh, bp);
 			nd_pop_packet_info(ndo);
 			return;
 		}
+		ph = nh;
 
 		/* ndo_protocol reassignment after xxx_print() calls */
 		ndo->ndo_protocol = "ip6";
@@ -477,4 +500,8 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	return;
 trunc:
 	nd_print_trunc(ndo);
+	return;
+
+invalid:
+	nd_print_invalid(ndo);
 }