fix bug #303 (DLT_IEEE802_11_RADIO ext. bitmaps)

This bug was discovered and pinned down by Wim Torfs.

The code in question handles DLT_IEEE802_11_RADIO datalink type, which
consists of a variable-sized header, a variable number of fields and the
actual 802.11 frame. The integers contained in the fields are aligned,
properly extracting them is exactly the purpose of the existing "cpack"
module. The issue with the current code is that it sets alignment base
for cpack at the end of the variable-sized header, in other words,
64-bit integers would be properly extracted only so long as the header
is 64-bit long, which only happens when the total number of bitmaps in
it is odd (the minimum number of bitmaps is one). Once this condition
isn't met, as is with two bitmaps, decoding becomes incorrect. The
reporter's point that the alignment base must be the beginning of the
variable-sized header is accurate.

This commit adds a new cpack_advance() function to fast-forward the
"c_next" pointer of a cpack_state context by an arbitrary number of
octets. The ieee802_11_radio_print() function now uses it to skip the
header and all its bitmaps, and the alignment base is now the header
start.

diff --git a/cpack.c b/cpack.c
index c921b390591872795c8cdfbedf7fec8c4767e905..b863d8e71fb55b029ee32bb8e3725bad3aee81d4 100644 (file)
--- a/cpack.c
+++ b/cpack.c
@@ -68,6 +68,17 @@ cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize)
        return next;
 }
 
+/* Advance by N bytes without returning them. */
+int
+cpack_advance(struct cpack_state *cs, const size_t toskip)
+{
+       /* No space left? */
+       if (cs->c_next - cs->c_buf + toskip > cs->c_len)
+               return -1;
+       cs->c_next += toskip;
+       return 0;
+}
+
 int
 cpack_init(struct cpack_state *cs, u_int8_t *buf, size_t buflen)
 {

diff --git a/cpack.h b/cpack.h
index 74f97960adb8873d6ef22a28ab53f74906606ed1..383927f781fd43fc5f6219028b7db6cca5eb358a 100644 (file)
--- a/cpack.h
+++ b/cpack.h
@@ -51,4 +51,6 @@ u_int8_t *cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize);
 #define cpack_int32(__s, __p)  cpack_uint32((__s), (u_int32_t*)(__p))
 #define cpack_int64(__s, __p)  cpack_uint64((__s), (u_int64_t*)(__p))
 
+extern int cpack_advance(struct cpack_state *, const size_t);
+
 #endif /* _CPACK_H */

diff --git a/print-802_11.c b/print-802_11.c
index 97badb9fc83eeb8a7011fdb84e9861ac9a9085b5..603e9460cafdd36caee7261b83e113236cabcdea 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -2209,7 +2209,6 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen)
        u_int32_t *presentp, *last_presentp;
        enum ieee80211_radiotap_type bit;
        int bit0;
-       const u_char *iter;
        u_int len;
        u_int8_t flags;
        int pad;
@@ -2229,10 +2228,13 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen)
                printf("[|802.11]");
                return caplen;
        }
+       cpack_init(&cpacker, (u_int8_t *)hdr, len); /* align against header start */
+       cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */
        for (last_presentp = &hdr->it_present;
             IS_EXTENDED(last_presentp) &&
             (u_char*)(last_presentp + 1) <= p + len;
-            last_presentp++);
+            last_presentp++)
+         cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */
 
        /* are there more bitmap extensions than bytes in header? */
        if (IS_EXTENDED(last_presentp)) {
@@ -2240,14 +2242,6 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen)
                return caplen;
        }
 
-       iter = (u_char*)(last_presentp + 1);
-
-       if (cpack_init(&cpacker, (u_int8_t*)iter, len - (iter - p)) != 0) {
-               /* XXX */
-               printf("[|802.11]");
-               return caplen;
-       }
-
        /* Assume no flags */
        flags = 0;
        /* Assume no Atheros padding between 802.11 header and body */

diff --git a/tests/ieee802.11_exthdr.out b/tests/ieee802.11_exthdr.out
new file mode 100644 (file)
index 0000000..dd1689d
--- /dev/null
+++ b/tests/ieee802.11_exthdr.out
@@ -0,0 +1,26 @@
+10016360us tsft 1.0 Mb/s 2412 MHz 11b -22dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10018922us tsft 1.0 Mb/s 2412 MHz 11b -19dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10017245us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+10085301us tsft 1.0 Mb/s 2412 MHz 11b -19dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10087718us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10086042us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+10284358us tsft 1.0 Mb/s 2412 MHz 11b -61dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10288217us tsft 1.0 Mb/s 2412 MHz 11b -46dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10286542us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+10351366us tsft 1.0 Mb/s 2412 MHz 11b -70dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10353769us tsft 1.0 Mb/s 2412 MHz 11b -57dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10352092us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+10418368us tsft 1.0 Mb/s 2412 MHz 11b -67dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10420929us tsft 1.0 Mb/s 2412 MHz 11b -73dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10419253us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+10485371us tsft 1.0 Mb/s 2412 MHz 11b -72dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+10489278us tsft 1.0 Mb/s 2412 MHz 11b -74dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+10487602us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1
+13338508us tsft 1.0 Mb/s 2412 MHz 11b -14dB signal -86dB noise antenna 1 [bit 31] 314us Authentication (Open System)-1: Successful
+13340215us tsft 1.0 Mb/s 2412 MHz 11b -17dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+13339435us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Authentication (Open System)-2: 
+13341999us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 1 [bit 31] 314us Assoc Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
+13346458us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a 
+13344925us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Assoc Response AID(1) :: Successful
+13355433us tsft 2412 MHz 11g -22dB signal -86dB noise antenna 1 19.5 Mb/s MCS 2 20 MHz lon GI [bit 31] 48us 
+13454791us tsft 2412 MHz 11g -21dB signal -86dB noise antenna 1 52.0 Mb/s MCS 11 20 MHz lon GI [bit 31] Pwr Mgmt 44us