(for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and "Timestamp Echo" options

Add some comments.

Moreover:
Put a function definition name at the beginning of the line.

(This change was ported from commit 6df4852 in the master branch.)

Ryan Ackroyd had independently identified this buffer over-read later by
means of fuzzing and provided the packet capture file for the test.

diff --git a/print-dccp.c b/print-dccp.c
index 6e252642724037bab9cde76adc064568c6c40803..bc3feb7c12af3fe79bdabd8e3b98b2b243f0d732 100644 (file)
--- a/print-dccp.c
+++ b/print-dccp.c
@@ -530,7 +530,8 @@ static const struct tok dccp_option_values[] = {
        { 0, NULL }
 };
 
-static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
+static int
+dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
 {
        uint8_t optlen, i;
 
@@ -623,16 +624,54 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
                        }
                        break;
                case 41:
-                       if (optlen == 4)
+               /*
+                * 13.1.  Timestamp Option
+                *
+                *  +--------+--------+--------+--------+--------+--------+
+                *  |00101001|00000110|          Timestamp Value          |
+                *  +--------+--------+--------+--------+--------+--------+
+                *   Type=41  Length=6
+                */
+                       if (optlen == 6)
                                ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
                        else
-                               ND_PRINT((ndo, " optlen != 4"));
+                               ND_PRINT((ndo, " [optlen != 6]"));
                        break;
                case 42:
-                       if (optlen == 4)
+               /*
+                * 13.3.  Timestamp Echo Option
+                *
+                *  +--------+--------+--------+--------+--------+--------+
+                *  |00101010|00000110|           Timestamp Echo          |
+                *  +--------+--------+--------+--------+--------+--------+
+                *   Type=42    Len=6
+                *
+                *  +--------+--------+------- ... -------+--------+--------+
+                *  |00101010|00001000|  Timestamp Echo   |   Elapsed Time  |
+                *  +--------+--------+------- ... -------+--------+--------+
+                *   Type=42    Len=8       (4 bytes)
+                *
+                *  +--------+--------+------- ... -------+------- ... -------+
+                *  |00101010|00001010|  Timestamp Echo   |    Elapsed Time   |
+                *  +--------+--------+------- ... -------+------- ... -------+
+                *   Type=42   Len=10       (4 bytes)           (4 bytes)
+                */
+                       switch (optlen) {
+                       case 6:
                                ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
-                       else
-                               ND_PRINT((ndo, " optlen != 4"));
+                               break;
+                       case 8:
+                               ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+                               ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_16BITS(option + 6)));
+                               break;
+                       case 10:
+                               ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+                               ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_32BITS(option + 6)));
+                               break;
+                       default:
+                               ND_PRINT((ndo, " [optlen != 6 or 8 or 10]"));
+                               break;
+                       }
                        break;
                case 43:
                        if (optlen == 6)
@@ -640,7 +679,7 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
                        else if (optlen == 4)
                                ND_PRINT((ndo, " %u", EXTRACT_16BITS(option + 2)));
                        else
-                               ND_PRINT((ndo, " optlen != 4 or 6"));
+                               ND_PRINT((ndo, " [optlen != 4 or 6]"));
                        break;
                case 44:
                        if (optlen > 2) {

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 0645739cb90bddec9450bb67f7325c7fcfcbe2e0..fb8217adb1acd61278835a3957c8f60ed028b702 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -604,6 +604,7 @@ hncp_prefix-oobr    hncp_prefix-oobr.pcapng         hncp_prefix-oobr.out            -vvv
 
 # bad packets from Ryan Ackroyd
 ieee802.11_meshhdr-oobr        ieee802.11_meshhdr-oobr.pcap    ieee802.11_meshhdr-oobr.out     -H -c1
+dccp_options-oobr      dccp_options-oobr.pcap          dccp_options-oobr.out           -vv -c8
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/dccp_options-oobr.out b/tests/dccp_options-oobr.out
new file mode 100644 (file)
index 0000000..8ca46ef
--- /dev/null
+++ b/tests/dccp_options-oobr.out
@@ -0,0 +1,19 @@
+IP (tos 0x0, ttl 64, id 65312, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xaaf3 (incorrect -> 0x8bf3)) DCCP-Request (service=-189888898) seq 8 <nop, nop, nop, nop, change_l ack_ratio 2, change_r ccid 2, change_l ccid 2>
+IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto DCCP (33), length 68)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, ) DCCP-Response (service=0) (ack=38464816766) seq 1960341146 <nop, nop, change_l ack_ratio 2, [|dccp]>
+IP (tos 0x0, ttl 64, id 65313, offset 0, flags [DF], proto DCCP (33), length 56)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xf53a (incorrect -> 0xf551)) DCCP-Ack (ack=1960341146) seq 38464816767 <nop, confirm_r ack_ratio 2, ack_vector0 0xe9, timestamp_echo [optlen != 6 or 8 or 10]>
+IP (tos 0x0, ttl 64, id 65314, offset 0, flags [DF], proto DCCP (33), length 152)
+    139.133.209.176.46076 > 139.133.209.65.48009: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341146) seq 38464816768 <nop, nop, ack_vector0 0x00, elapsed_time 1249, ndp_count 1>
+IP (tos 0x0, ttl 64, id 3176, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0xfc63 (correct)) DCCP-Ack (ack=38464816768) seq 1960341147 <nop, ack_vector0 0x01, elapsed_time 1>
+IP (tos 0x0, ttl 64, id 65315, offset 0, flags [DF], proto DCCP (33), length 148)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341147) seq 38464816769 <nop, ack_vector0 0x00, elapsed_time 84>
+IP (tos 0x0, ttl 64, id 3177, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0x0165 (correct)) DCCP-Ack (ack=38464816769) seq 1960341148 <nop, nop, ack_vector0 0x00, ndp_count 1>
+00:07:00:42:00:00 > 00:14:22:59:55:51 Null Information, send seq 0, rcv seq 0, Flags [Command], length 148
+       0x0000:  0000 0000 1422 5955 5100 07e9 bd5d 1f08  ....."YUQ....]..
+       0x0010:  0045 0000 34ff 2040 0040 2181 8b8b 85d1  .E..4..@.@!.....
+       0x0020:  b08b 85d1 4199 fc13 8908 00aa f320 0000  ....A...........
+       0x0030:  08f4 ae86 7e00 0000                      ....~...

diff --git a/tests/dccp_options-oobr.pcap b/tests/dccp_options-oobr.pcap
new file mode 100644 (file)
index 0000000..65deded
Binary files /dev/null and b/tests/dccp_options-oobr.pcap differ