]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 5679db6)
DNS: Use ND_TCHECK_LEN() instead of a custom bounds check
authorFrancois-Xavier Le Bail <[email protected]>
Sat, 8 Feb 2025 10:36:07 +0000 (11:36 +0100)
committerfxlb <[email protected]>
Sat, 8 Feb 2025 21:17:34 +0000 (21:17 +0000)
This avoids an invalid-pointer-pair AddressSanitizer error.

Add a test file.

The error was:
reading from file ppp_ip_udp_dns.pcap, link-type PPP_SERIAL(PPP over
  serial), snapshot length 2098998
=================================================================
==258093==ERROR: AddressSanitizer: invalid-pointer-pair: 0x61300000c086
  0x61300000019e
    #0 0x78274f in ns_rprint [...]/print-domain.c:728:9

Address 0x61300000c086 is a wild pointer inside of access range of size
  0x000000000001.
0x61300000019e is located 0 bytes after 350-byte region
  [0x613000000040,0x61300000019e)
allocated by thread T0 here:
    #0 0x4b997e in malloc ([...]/tcpdump+0x4b997e)
    #1 0x60220b in ppp_hdlc [...]/print-ppp.c:1367:16

SUMMARY: AddressSanitizer: invalid-pointer-pair
  [...]/print-domain.c:728:9 in ns_rprint

print-domain.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ppp_ip_udp_dns.out [new file with mode: 0644] patch | blob
tests/ppp_ip_udp_dns.pcap [new file with mode: 0644] patch | blob

diff --git a/print-domain.c b/print-domain.c
index 7ac891f047161be1e525634676f4ab2d3b72e61d..08d8460a4995894902ef4db994dbf61d1ea3d720 100644 (file)
--- a/print-domain.c
+++ b/print-domain.c
@@ -722,11 +722,10 @@ ns_rprint(netdissect_options *ndo,
        len = GET_BE_U_2(cp);
        cp += 2;
 
-       rp = cp + len;
-
        ND_PRINT(" %s", tok2str(ns_type2str, "Type%u", typ));
-       if (rp > ndo->ndo_snapend)
-               return(NULL);
+
+       ND_TCHECK_LEN(cp, len);
+       rp = cp + len;
 
        switch (typ) {
        case T_A:
@@ -896,6 +895,9 @@ ns_rprint(netdissect_options *ndo,
            }
        }
        return (rp);            /* XXX This isn't always right */
+
+trunc:
+       return(NULL);
 }
 
 void
diff --git a/tests/TESTLIST b/tests/TESTLIST
index d2784df2fb5c07d01967c765aa2f126de64be18e..d1abd13f9111318155791f944a8d1c76efee660f 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -359,6 +359,7 @@ dns_udp dns_udp.pcap dns_udp.out
 dns_udp-v dns_udp.pcap dns_udp-v.out -v
 dns_udp-vv dns_udp.pcap dns_udp-vv.out -vv
 dns_udp-vvv dns_udp.pcap dns_udp-vvv.out -vvv
+ppp_ip_udp_dns-vv ppp_ip_udp_dns.pcap ppp_ip_udp_dns.out -vv
 # tests with --skip option
 dns_tcp-skip-3 dns_tcp.pcap dns_tcp-skip-3.out --skip 3
 dns_tcp-skip-3-c-4 dns_tcp.pcap dns_tcp-skip-3-c-4.out --skip 3 -c 4
diff --git a/tests/ppp_ip_udp_dns.out b/tests/ppp_ip_udp_dns.out
new file mode 100644 (file)
index 0000000..d35ad22
--- /dev/null
+++ b/tests/ppp_ip_udp_dns.out
@@ -0,0 +1,2 @@
+    1  2037-11-24 07:59:58.999999 unknown PPP protocol (0x7e08): IP [total length 49441 > length 348] (invalid) (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 49441, bad cksum 45ee (->13)!)
+    69.168.178.248.53 > 192.168.0.111.1024: [bad udp cksum 0x33ea -> 0x73b6!] 0 [0q] [65535au] ar: . OPT UDPsize=26995 [Opt25701], . (Class 3584) Type0 [|domain]
diff --git a/tests/ppp_ip_udp_dns.pcap b/tests/ppp_ip_udp_dns.pcap
new file mode 100644 (file)
index 0000000..9b983e3
Binary files /dev/null and b/tests/ppp_ip_udp_dns.pcap differ
[mirror] the TCPdump network dissector