(for 4.9.3) LMP: Add some missing bounds checks

author Francois-Xavier Le Bail <[email protected]>

Tue, 17 Oct 2017 20:40:13 +0000 (22:40 +0200)

committer Francois-Xavier Le Bail <[email protected]>

Sun, 18 Aug 2019 18:35:51 +0000 (20:35 +0200)
author Francois-Xavier Le Bail <[email protected]>
Tue, 17 Oct 2017 20:40:13 +0000 (22:40 +0200)
committer Francois-Xavier Le Bail <[email protected]>
Sun, 18 Aug 2019 18:35:51 +0000 (20:35 +0200)
diff --git a/print-lmp.c b/print-lmp.c

index ee126a0195b50d43254db78b88977cf59b573c97..e83610117844d14bff25816b81e6b75962d3132c 100644 (file)
--- a/print-lmp.c
+++ b/print-lmp.c
@@ -31,6 +31,8 @@
  #include "addrtoname.h"
  #include "gmpls.h"
  
+static const char tstr[] = " [|LMP]";
+
  /*
   * LMP common header
   *
@@ -367,6 +369,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
      } bw;
  
      while (total_subobj_len > 0 && hexdump == FALSE ) {
+       ND_TCHECK_16BITS(obj_tptr + offset);
         subobj_type = EXTRACT_8BITS(obj_tptr + offset);
         subobj_len  = EXTRACT_8BITS(obj_tptr + offset + 1);
         ND_PRINT((ndo, "\n\t    Subobject, Type: %s (%u), Length: %u",
@@ -389,11 +392,13 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
         }
         switch(subobj_type) {
         case INT_SWITCHING_TYPE_SUBOBJ:
+           ND_TCHECK_8BITS(obj_tptr + offset + 2);
             ND_PRINT((ndo, "\n\t      Switching Type: %s (%u)",
                 tok2str(gmpls_switch_cap_values,
                         "Unknown",
                         EXTRACT_8BITS(obj_tptr + offset + 2)),
                         EXTRACT_8BITS(obj_tptr + offset + 2)));
+           ND_TCHECK_8BITS(obj_tptr + offset + 3);
             ND_PRINT((ndo, "\n\t      Encoding Type: %s (%u)",
                 tok2str(gmpls_encoding_values,
                         "Unknown",
@@ -403,11 +408,13 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
             bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
             ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                  bw.f*8/1000000));
+           ND_TCHECK_32BITS(obj_tptr + offset + 8);
             bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
             ND_PRINT((ndo, "\n\t      Max Reservable Bandwidth: %.3f Mbps",
                  bw.f*8/1000000));
             break;
         case WAVELENGTH_SUBOBJ:
+           ND_TCHECK_32BITS(obj_tptr + offset + 4);
             ND_PRINT((ndo, "\n\t      Wavelength: %u",
                 EXTRACT_32BITS(obj_tptr+offset+4)));
             break;
@@ -1141,7 +1148,7 @@ lmp_print(netdissect_options *ndo,
      }
      return;
  trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
  }
  /*
   * Local Variables:
diff --git a/tests/lmp-lmp_print_data_link_subobjs-oobr.out b/tests/lmp-lmp_print_data_link_subobjs-oobr.out

index 6709b26b78d0c72c7dd0c5ac89e29b9805559724..b655b07f1030d806d8e007a64f6d7a65730dc330 100644 (file)
--- a/tests/lmp-lmp_print_data_link_subobjs-oobr.out
+++ b/tests/lmp-lmp_print_data_link_subobjs-oobr.out
@@ -7,8 +7,7 @@ IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP
             Remote Interface ID: 3657433088 (0xda000000)
             Subobject, Type: Interface Switching Type (1), Length: 4
               Switching Type: Unknown (0)
-             Encoding Type: Unknown (0)
-                packet exceeded snapshot
+             Encoding Type: Unknown (0) [|LMP]
  IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
      17.8.8.255.701 > 40.184.42.8.12: 
         LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
@@ -18,5 +17,4 @@ IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP
             Remote Interface ID: 3657433088 (0xda000000)
             Subobject, Type: Interface Switching Type (1), Length: 4
               Switching Type: Unknown (0)
-             Encoding Type: Unknown (0)
-                packet exceeded snapshot
+             Encoding Type: Unknown (0) [|LMP]
diff --git a/tests/lmpv1_busyloop.out b/tests/lmpv1_busyloop.out

index b85b0e88fa2490376b8059d20e7a005518d114b7..f6b88ed3ea5ba77772e6d5169000cca12dba43d6 100644 (file)
--- a/tests/lmpv1_busyloop.out
+++ b/tests/lmpv1_busyloop.out
@@ -38,5 +38,4 @@
             0x01d0:  0200 0200 0002 0002 0000 0200 0200 0002
             0x01e0:  0002 0000 0200 0200 0002 0002 0000 0200
             0x01f0:  0200 0002 0002 0000 0200 0200 0002 0002
-         Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512
-                packet exceeded snapshot
+         Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512 [|LMP]
author	Francois-Xavier Le Bail <[email protected]>
	Tue, 17 Oct 2017 20:40:13 +0000 (22:40 +0200)
committer	Francois-Xavier Le Bail <[email protected]>
	Sun, 18 Aug 2019 18:35:51 +0000 (20:35 +0200)
print-lmp.c		patch \| blob \| history
tests/lmp-lmp_print_data_link_subobjs-oobr.out		patch \| blob \| history
tests/lmpv1_busyloop.out		patch \| blob \| history