Add missing bounds checking to the DVMRP and PIM print routines.

author guy <guy>

Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)

committer guy <guy>

Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)
author guy <guy>
Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)
committer guy <guy>
Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)
diff --git a/print-dvmrp.c b/print-dvmrp.c

index 4b153a66c599a812574581763d1a9dfddac60144..437e7160c7fa6ee84ba2417eb8866b75ae7eb132 100644 (file)
--- a/print-dvmrp.c
+++ b/print-dvmrp.c
@@ -21,7 +21,7 @@
  
  #ifndef lint
  static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-dvmrp.c,v 1.26 2003-11-16 09:36:19 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-dvmrp.c,v 1.27 2003-11-19 09:42:04 guy Exp $ (LBL)";
  #endif
  
  #ifdef HAVE_CONFIG_H
@@ -62,13 +62,13 @@ static const char rcsid[] _U_ =
  #define DVMRP_NF_DISABLED      0x20    /* administratively disabled */
  #define DVMRP_NF_QUERIER       0x40    /* I am the subnet's querier */
  
-static void print_probe(const u_char *, const u_char *, u_int);
-static void print_report(const u_char *, const u_char *, u_int);
-static void print_neighbors(const u_char *, const u_char *, u_int);
-static void print_neighbors2(const u_char *, const u_char *, u_int);
-static void print_prune(const u_char *);
-static void print_graft(const u_char *);
-static void print_graft_ack(const u_char *);
+static int print_probe(const u_char *, const u_char *, u_int);
+static int print_report(const u_char *, const u_char *, u_int);
+static int print_neighbors(const u_char *, const u_char *, u_int);
+static int print_neighbors2(const u_char *, const u_char *, u_int);
+static int print_prune(const u_char *);
+static int print_graft(const u_char *);
+static int print_graft_ack(const u_char *);
  
  static u_int32_t target_level;
  
@@ -82,6 +82,7 @@ dvmrp_print(register const u_char *bp, register u_int len)
         if (bp >= ep)
                 return;
  
+       TCHECK(bp[1]);
         type = bp[1];
  
         /* Skip IGMP header */
@@ -92,14 +93,18 @@ dvmrp_print(register const u_char *bp, register u_int len)
  
         case DVMRP_PROBE:
                 printf(" Probe");
-               if (vflag)
-                       print_probe(bp, ep, len);
+               if (vflag) {
+                       if (print_probe(bp, ep, len) < 0)
+                               goto trunc;
+               }
                 break;
  
         case DVMRP_REPORT:
                 printf(" Report");
-               if (vflag > 1)
-                       print_report(bp, ep, len);
+               if (vflag > 1) {
+                       if (print_report(bp, ep, len) < 0)
+                               goto trunc;
+               }
                 break;
  
         case DVMRP_ASK_NEIGHBORS:
@@ -108,7 +113,8 @@ dvmrp_print(register const u_char *bp, register u_int len)
  
         case DVMRP_NEIGHBORS:
                 printf(" Neighbors(old)");
-               print_neighbors(bp, ep, len);
+               if (print_neighbors(bp, ep, len) < 0)
+                       goto trunc;
                 break;
  
         case DVMRP_ASK_NEIGHBORS2:
@@ -122,34 +128,44 @@ dvmrp_print(register const u_char *bp, register u_int len)
                  * address field
                  */
                 bp -= 4;
+               TCHECK2(bp[0], 4);
                 target_level = (bp[0] << 24) | (bp[1] << 16) |
                     (bp[2] << 8) | bp[3];
                 bp += 4;
-               print_neighbors2(bp, ep, len);
+               if (print_neighbors2(bp, ep, len) < 0)
+                       goto trunc;
                 break;
  
         case DVMRP_PRUNE:
                 printf(" Prune");
-               print_prune(bp);
+               if (print_prune(bp) < 0)
+                       goto trunc;
                 break;
  
         case DVMRP_GRAFT:
                 printf(" Graft");
-               print_graft(bp);
+               if (print_graft(bp) < 0)
+                       goto trunc;
                 break;
  
         case DVMRP_GRAFT_ACK:
                 printf(" Graft-ACK");
-               print_graft_ack(bp);
+               if (print_graft_ack(bp) < 0)
+                       goto trunc;
                 break;
  
         default:
                 printf(" [type %d]", type);
                 break;
         }
+       return;
+
+trunc:
+       printf("[|dvmrp]");
+       return;
  }
  
-static void
+static int 
  print_report(register const u_char *bp, register const u_char *ep,
      register u_int len)
  {
@@ -160,8 +176,9 @@ print_report(register const u_char *bp, register const u_char *ep,
         while (len > 0) {
                 if (len < 3) {
                         printf(" [|]");
-                       return;
+                       return (0);
                 }
+               TCHECK2(bp[0], 3);
                 mask = (u_int32_t)0xff << 24 | bp[0] << 16 | bp[1] << 8 | bp[2];
                 width = 1;
                 if (bp[0])
@@ -177,18 +194,21 @@ print_report(register const u_char *bp, register const u_char *ep,
                 do {
                         if (bp + width + 1 > ep) {
                                 printf(" [|]");
-                               return;
+                               return (0);
                         }
                         if (len < width + 1) {
                                 printf("\n\t  [Truncated Report]");
-                               return;
+                               return (0);
                         }
                         origin = 0;
-                       for (i = 0; i < width; ++i)
+                       for (i = 0; i < width; ++i) {
+                               TCHECK(*bp);
                                 origin = origin << 8 | *bp++;
+                       }
                         for ( ; i < 4; ++i)
                                 origin <<= 8;
  
+                       TCHECK(*bp);
                         metric = *bp++;
                         done = metric & 0x80;
                         metric &= 0x7f;
@@ -197,9 +217,12 @@ print_report(register const u_char *bp, register const u_char *ep,
                         len -= width + 1;
                 } while (!done);
         }
+       return (0);
+trunc:
+       return (-1);
  }
  
-static void
+static int
  print_probe(register const u_char *bp, register const u_char *ep,
      register u_int len)
  {
@@ -209,7 +232,7 @@ print_probe(register const u_char *bp, register const u_char *ep,
         if ((len < 4) || ((bp + 4) > ep)) {
                 /* { (ctags) */
                 printf(" [|}");
-               return;
+               return (0);
         }
         genid = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3];
         bp += 4;
@@ -220,19 +243,19 @@ print_probe(register const u_char *bp, register const u_char *ep,
                 printf(" ");
         printf("genid %u", genid);
         if (vflag < 2)
-               return;
+               return (0);
  
         while ((len > 0) && (bp < ep)) {
                 TCHECK2(bp[0], 4);
                 printf("\n\tneighbor %s", ipaddr_string(bp));
                 bp += 4; len -= 4;
         }
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
  
-static void
+static int
  print_neighbors(register const u_char *bp, register const u_char *ep,
      register u_int len)
  {
@@ -258,12 +281,12 @@ print_neighbors(register const u_char *bp, register const u_char *ep,
                         len -= 4;
                 }
         }
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
  
-static void
+static int
  print_neighbors2(register const u_char *bp, register const u_char *ep,
      register u_int len)
  {
@@ -304,15 +327,15 @@ print_neighbors2(register const u_char *bp, register const u_char *ep,
                 }
                 if (ncount != -1) {
                         printf(" [|]");
-                       return;
+                       return (0);
                 }
         }
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
  
-static void
+static int
  print_prune(register const u_char *bp)
  {
         TCHECK2(bp[0], 12);
@@ -320,27 +343,27 @@ print_prune(register const u_char *bp)
         bp += 8;
         (void)printf(" timer ");
         relts_print(EXTRACT_32BITS(bp));
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
  
-static void
+static int
  print_graft(register const u_char *bp)
  {
         TCHECK2(bp[0], 8);
         printf(" src %s grp %s", ipaddr_string(bp), ipaddr_string(bp + 4));
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
  
-static void
+static int
  print_graft_ack(register const u_char *bp)
  {
         TCHECK2(bp[0], 8);
         printf(" src %s grp %s", ipaddr_string(bp), ipaddr_string(bp + 4));
-       return;
+       return (0);
  trunc:
-       (void)printf("[|dvmrp]");
+       return (-1);
  }
diff --git a/print-igmp.c b/print-igmp.c

index 376635901594a25f11474c72d61c20ddd9ad76dc..b0f9fc450ac13d079c83d50ca0869a616e6e8c95 100644 (file)
--- a/print-igmp.c
+++ b/print-igmp.c
@@ -21,7 +21,7 @@
  
  #ifndef lint
  static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-igmp.c,v 1.13 2003-11-16 09:36:23 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-igmp.c,v 1.14 2003-11-19 09:42:04 guy Exp $ (LBL)";
  #endif
  
  #ifdef HAVE_CONFIG_H
@@ -218,6 +218,7 @@ print_igmpv3_query(register const u_char *bp, register u_int len)
         (void)printf(" [invalid len %d]", len);
         return;
      }
+    TCHECK(bp[1]);
      mrc = bp[1];
      if (mrc < 128) {
         mrt = mrc;
@@ -263,19 +264,21 @@ igmp_print(register const u_char *bp, register u_int len)
          return;
      }
  
-    TCHECK2(bp[0], 8);
+    TCHECK(bp[0]);
      switch (bp[0]) {
      case 0x11:
          (void)printf("igmp query");
         if (len >= 12)
             print_igmpv3_query(bp, len);
         else {
+            TCHECK(bp[1]);
             if (bp[1]) {
                 (void)printf(" v2");
                 if (bp[1] != 100)
                     (void)printf(" [max resp time %d]", bp[1]);
             } else
                 (void)printf(" v1");
+            TCHECK2(bp[4], 4);
             if (EXTRACT_32BITS(&bp[4]))
                  (void)printf(" [gaddr %s]", ipaddr_string(&bp[4]));
              if (len != 8)
@@ -283,11 +286,13 @@ igmp_print(register const u_char *bp, register u_int len)
         }
          break;
      case 0x12:
+        TCHECK2(bp[4], 4);
          (void)printf("igmp v1 report %s", ipaddr_string(&bp[4]));
          if (len != 8)
              (void)printf(" [len %d]", len);
          break;
      case 0x16:
+        TCHECK2(bp[4], 4);
          (void)printf("igmp v2 report %s", ipaddr_string(&bp[4]));
          break;
      case 0x22:
diff --git a/print-pim.c b/print-pim.c

index 57d8f9f8f8a51fd80f59841d1cf16bc1f95d2166..aac29bc839b3ed1e0655e795eb46c59da11da7cf 100644 (file)
--- a/print-pim.c
+++ b/print-pim.c
@@ -21,7 +21,7 @@
  
  #ifndef lint
  static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-pim.c,v 1.39 2003-11-16 09:36:32 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-pim.c,v 1.40 2003-11-19 09:42:05 guy Exp $ (LBL)";
  #endif
  
  #ifdef HAVE_CONFIG_H
@@ -154,6 +154,7 @@ pimv1_print(register const u_char *bp, register u_int len)
         if (bp >= ep)
                 return;
  
+       TCHECK(bp[1]);
         type = bp[1];
  
         switch (type) {
author	guy <guy>
	Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)
committer	guy <guy>
	Wed, 19 Nov 2003 09:42:04 +0000 (09:42 +0000)
print-dvmrp.c		patch \| blob \| history
print-igmp.c		patch \| blob \| history
print-pim.c		patch \| blob \| history