LDP: Add some missing bounds checks

Replace calls to ipaddr_string()/ip6addr_string() with calls to
GET_IPADDR_STRING()/GET_IP6ADDR_STRING() macros performing bounds
checking.

Fix a regression in 78a4ee82226a3fe19981841dfe24d5e9cb437524.

This fixes a buffer over-read in ldp_tlv_print() discovered by
Jason Xiaole.

Add a test using the capture file supplied by the reporter updated
to keep only the packet showing the buffer over-read.

diff --git a/print-ldp.c b/print-ldp.c
index b747fe7da1813af91c6473578ca72ab1e967a3e4..b05a1218e484ae28de28c35a8d281b5f18db3b53 100644 (file)
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -288,11 +288,11 @@ ldp_tlv_print(netdissect_options *ndo,
 
     case LDP_TLV_IPV4_TRANSPORT_ADDR:
         TLV_TCHECK(4);
-        ND_PRINT("\n\t      IPv4 Transport Address: %s", ipaddr_string(ndo, tptr));
+        ND_PRINT("\n\t      IPv4 Transport Address: %s", GET_IPADDR_STRING(tptr));
         break;
     case LDP_TLV_IPV6_TRANSPORT_ADDR:
         TLV_TCHECK(16);
-        ND_PRINT("\n\t      IPv6 Transport Address: %s", ip6addr_string(ndo, tptr));
+        ND_PRINT("\n\t      IPv6 Transport Address: %s", GET_IP6ADDR_STRING(tptr));
         break;
     case LDP_TLV_CONFIG_SEQ_NUMBER:
         TLV_TCHECK(4);
@@ -310,7 +310,7 @@ ldp_tlv_print(netdissect_options *ndo,
         case AFNUM_INET:
            while(tlv_tlen >= sizeof(nd_ipv4)) {
                ND_TCHECK_LEN(tptr, sizeof(nd_ipv4));
-               ND_PRINT(" %s", ipaddr_string(ndo, tptr));
+               ND_PRINT(" %s", GET_IPADDR_STRING(tptr));
                tlv_tlen-=sizeof(nd_ipv4);
                tptr+=sizeof(nd_ipv4);
            }
@@ -318,7 +318,7 @@ ldp_tlv_print(netdissect_options *ndo,
         case AFNUM_INET6:
            while(tlv_tlen >= sizeof(nd_ipv6)) {
                ND_TCHECK_LEN(tptr, sizeof(nd_ipv6));
-               ND_PRINT(" %s", ip6addr_string(ndo, tptr));
+               ND_PRINT(" %s", GET_IP6ADDR_STRING(tptr));
                tlv_tlen-=sizeof(nd_ipv6);
                tptr+=sizeof(nd_ipv6);
            }
@@ -606,7 +606,7 @@ ldp_pdu_print(netdissect_options *ndo,
     /* print the LSR-ID, label-space & length */
     ND_PRINT("%sLDP, Label-Space-ID: %s:%u, pdu-length: %u",
            (ndo->ndo_vflag < 1) ? "" : "\n\t",
-           ipaddr_string(ndo, ldp_com_header->lsr_id),
+           GET_IPADDR_STRING(ldp_com_header->lsr_id),
            GET_BE_U_2(ldp_com_header->label_space),
            pdu_len);
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 54f3f7a3839d1f94358038ec3c0bd389b1878711..a61fdfcfd0b9f43e2752b0d4f4753407a87fe7a5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -753,3 +753,6 @@ smb_data_print-oobr smb_data_print-oobr.pcapng smb_data_print-oobr.out -vv
 smb_data_print-segv smb_data_print-segv.pcapng smb_data_print-segv.out -vv
 #ptp tests
 ptp         ptp.pcap    ptp.out
+
+# bad packets from Jason Xiaole
+ldp_tlv_print-oobr ldp_tlv_print-oobr.pcap ldp_tlv_print-oobr.out -v

diff --git a/tests/ldp_tlv_print-oobr.out b/tests/ldp_tlv_print-oobr.out
new file mode 100644 (file)
index 0000000..1ec4d34
--- /dev/null
+++ b/tests/ldp_tlv_print-oobr.out
@@ -0,0 +1,7 @@
+    1  05:27:12.1010580 IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.12336 > 48.48.48.48.646: 
+       LDP, Label-Space-ID: 48.48.48.48:12336, pdu-length: 12336
+         Hello Message (0x0100), length: 20, Message ID: 0x30303030, Flags: [ignore if unknown]
+           Unknown TLV (0x3030), length: 4, Flags: [ignore and don't forward if unknown]
+             0x0000:  3030 3030
+           IPv4 Transport Address TLV (0x0401), length: 4, Flags: [ignore and don't forward if unknown] [|ldp]

diff --git a/tests/ldp_tlv_print-oobr.pcap b/tests/ldp_tlv_print-oobr.pcap
new file mode 100644 (file)
index 0000000..9ec507c
Binary files /dev/null and b/tests/ldp_tlv_print-oobr.pcap differ