Don't try decrypting a fragmented ESP packet; the IP proto number and

 padding info are in the last fragment but the header is in the first
 fragment.
Pass padding length back to IP to allow trimming the padding.
Update in_cksum() prototype to allow using it for checksums including
 the pseudo-header.

diff --git a/interface.h b/interface.h
index 1113d482f61882a6b62b45c97f1062db15d1430d..d9de4a089a0f00860200a5b99002e3da24b77f8b 100644 (file)
--- a/interface.h
+++ b/interface.h
@@ -18,7 +18,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.166 2001-07-05 18:54:13 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.167 2001-08-20 17:52:39 fenner Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -259,7 +259,7 @@ extern void timed_print(const u_char *, u_int);
 extern void udp_print(const u_char *, u_int, const u_char *, int);
 extern void wb_print(const void *, u_int);
 extern int ah_print(register const u_char *, register const u_char *);
-extern int esp_print(register const u_char *, register const u_char *, int *);
+extern int esp_print(register const u_char *, register const u_char *, int *, int *);
 extern void isakmp_print(const u_char *, u_int, const u_char *);
 extern int ipcomp_print(register const u_char *, register const u_char *, int *);
 extern void rx_print(register const u_char *, int, int, int, u_char *);
@@ -294,7 +294,7 @@ extern int rt6_print(const u_char *, const u_char *);
 extern void ospf6_print(const u_char *, u_int);
 extern void dhcp6_print(const u_char *, u_int, u_int16_t, u_int16_t);
 #endif /*INET6*/
-extern u_short in_cksum(const u_short *, register int, u_short);
+extern u_short in_cksum(const u_short *, register int, int);
 
 #ifndef HAVE_BPF_DUMP
 struct bpf_program;

diff --git a/print-esp.c b/print-esp.c
index 152b6c6aafda10f90be4a79e824ace1e63ce8b64..c06543f526925e490f74155386e3afe2ccd2fd19 100644 (file)
--- a/print-esp.c
+++ b/print-esp.c
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.18 2001-04-13 02:56:38 itojun Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.19 2001-08-20 17:52:38 fenner Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -61,7 +61,7 @@ static const char rcsid[] =
 #include "addrtoname.h"
 
 int
-esp_print(register const u_char *bp, register const u_char *bp2, int *nhdr)
+esp_print(register const u_char *bp, register const u_char *bp2, int *nhdr, int *padlen)
 {
        register const struct esp *esp;
        register const u_char *ep;
@@ -145,6 +145,9 @@ esp_print(register const u_char *bp, register const u_char *bp2, int *nhdr)
                break;
 #endif /*INET6*/
        case 4:
+               /* nexthdr & padding are in the last fragment */
+               if (ntohs(ip->ip_off) & IP_MF)
+                       goto fail;
 #ifdef INET6
                ip6 = NULL;
 #endif
@@ -291,6 +294,9 @@ esp_print(register const u_char *bp, register const u_char *bp2, int *nhdr)
        if (ep - bp < *(ep - 2))
                goto fail;
 
+       if (padlen)
+               *padlen = *(ep - 2) + 2;
+
        if (nhdr)
                *nhdr = *(ep - 1);
 

diff --git a/print-ip.c b/print-ip.c
index 3cc07768b1cd6537671264ed52aeed5a9eeb8b5a..8d1bbdad08a2efdc94778ba01be548ee504fcf93 100644 (file)
--- a/print-ip.c
+++ b/print-ip.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-ip.c,v 1.98 2001-06-15 22:17:33 fenner Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-ip.c,v 1.99 2001-08-20 17:52:39 fenner Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -217,7 +217,7 @@ ip_optprint(register const u_char *cp, u_int length)
  * don't modifiy the packet.
  */
 u_short
-in_cksum(const u_short *addr, register int len, u_short csum)
+in_cksum(const u_short *addr, register int len, int csum)
 {
        int nleft = len;
        const u_short *w = addr;
@@ -341,10 +341,10 @@ again:
 #endif
                case IPPROTO_ESP:
                    {
-                       int enh;
-                       advance = esp_print(cp, (const u_char *)ip, &enh);
+                       int enh, padlen;
+                       advance = esp_print(cp, (const u_char *)ip, &enh, &padlen);
                        cp += advance;
-                       len -= advance;
+                       len -= advance + padlen;
                        if (enh < 0)
                                break;
                        nh = enh & 0xff;

diff --git a/print-ip6.c b/print-ip6.c
index 9074a9a5d82741516ab6746ef6a10393ddeac0d6..1965c3fd295a9eea36a1229544ce5a0f742062e6 100644 (file)
--- a/print-ip6.c
+++ b/print-ip6.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-ip6.c,v 1.16 2000-11-17 19:08:15 itojun Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-ip6.c,v 1.17 2001-08-20 17:52:40 fenner Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -143,11 +143,12 @@ ip6_print(register const u_char *bp, register int length)
                        break;
                case IPPROTO_ESP:
                    {
-                       int enh;
-                       advance = esp_print(cp, (const u_char *)ip6, &enh);
+                       int enh, padlen;
+                       advance = esp_print(cp, (const u_char *)ip6, &enh, &padlen);
                        if (enh < 0)
                                goto end;
                        nh = enh & 0xff;
+                       len -= padlen;
                        break;
                    }
 #ifndef IPPROTO_IPCOMP