]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e5b1cab)
frag6: Fix invalid 32-bit versus 64-bit printouts
authorFrancois-Xavier Le Bail <[email protected]>
Mon, 6 May 2024 09:20:27 +0000 (11:20 +0200)
committerfxlb <[email protected]>
Mon, 6 May 2024 19:10:03 +0000 (19:10 +0000)
Print "[length < 0] (invalid)" when fragment length is negative.

In this case, e.g. when IPv6 payload length is zero, the 32-bit and
64-bit printouts were different.

Example:
32-bit:
frag (0x80000074:1280|4294967288)
---
64-bit:
frag (0x80000074:1280|18446744073709551608)

Add a test file.

print-frag6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ipv6_frag6_negative_len.out [new file with mode: 0644] patch | blob
tests/ipv6_frag6_negative_len.pcap [new file with mode: 0644] patch | blob

diff --git a/print-frag6.c b/print-frag6.c
index 773e49ab5e4e9896d6ed7fb5f423358b1629385c..a4b3be0d43ffc784912d4f5d418d9b3ab851e400 100644 (file)
--- a/print-frag6.c
+++ b/print-frag6.c
@@ -43,10 +43,14 @@ frag6_print(netdissect_options *ndo, const u_char *bp, const u_char *bp2)
        ND_PRINT("frag (");
        if (ndo->ndo_vflag)
                ND_PRINT("0x%08x:", GET_BE_U_4(dp->ip6f_ident));
-       ND_PRINT("%u|%zu)",
-                GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK,
-                sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen) -
-                       (bp - bp2) - sizeof(struct ip6_frag));
+       ND_PRINT("%u|", GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK);
+       if ((bp - bp2) + sizeof(struct ip6_frag) >
+           sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen))
+               ND_PRINT("[length < 0] (invalid))");
+       else
+               ND_PRINT("%zu)",
+                        sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen) -
+                        (bp - bp2) - sizeof(struct ip6_frag));
 
        /* it is meaningless to decode non-first fragment */
        if ((GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK) != 0)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index f6b217c81a576891cd708136f04212e14462f967..dd00127a01e9a5c2a3c3302af33a10ab36a3712d 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -386,6 +386,7 @@ ipv6_invalid_length_2 ipv6_invalid_length_2.pcap ipv6_invalid_length_2.out -v
 ipv6_jumbogram_invalid_length ipv6_jumbogram_invalid_length.pcap ipv6_jumbogram_invalid_length.out -v
 ipv6_39_byte_header ipv6_39_byte_header.pcap ipv6_39_byte_header.out -v
 ipv6_missing_jumbo_payload_option ipv6_missing_jumbo_payload_option.pcap ipv6_missing_jumbo_payload_option.out
+ipv6_frag6_negative_len ipv6_frag6_negative_len.pcap ipv6_frag6_negative_len.out -v
 
 # Loopback/CTP test case
 loopback       loopback.pcap           loopback.out
diff --git a/tests/ipv6_frag6_negative_len.out b/tests/ipv6_frag6_negative_len.out
new file mode 100644 (file)
index 0000000..b56a507
--- /dev/null
+++ b/tests/ipv6_frag6_negative_len.out
@@ -0,0 +1 @@
+    1  1975-11-02 10:29:20.131862 IP6 (class 0x50, flowlabel 0x00073, hlim 28, next-header Fragment (44) payload length: 0) 7fff:ffff:c3b2:a102:1305:80:38:2949 > 9675:86dd:7300:2c:1c7f:ffff:ffc3:b2a1: frag (0x80000074:1280|[length < 0] (invalid))
diff --git a/tests/ipv6_frag6_negative_len.pcap b/tests/ipv6_frag6_negative_len.pcap
new file mode 100644 (file)
index 0000000..4243568
Binary files /dev/null and b/tests/ipv6_frag6_negative_len.pcap differ
[mirror] the TCPdump network dissector