]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1fb5643)
TCP: Add a bounds check before decoding the payload
authorFrancois-Xavier Le Bail <[email protected]>
Fri, 12 Feb 2021 20:49:40 +0000 (21:49 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Fri, 12 Feb 2021 20:58:20 +0000 (21:58 +0100)
At least the header data is required.

Moreover:
Update the output of a test accordingly.
Fix indentation.

print-tcp.c patch | blob | history
tests/beep-oobr.out patch | blob | history

diff --git a/print-tcp.c b/print-tcp.c
index 0d62c4a93bd67c981f4f12b8d7e86d510507989c..12d24b5ca3a3552e002e4113f384d213bee72f0e 100644 (file)
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -173,6 +173,7 @@ tcp_print(netdissect_options *ndo,
         uint16_t magic;
         int rev;
         const struct ip6_hdr *ip6;
+        u_int header_len;      /* Header length in bytes */
 
         ndo->ndo_protocol = "tcp";
         tp = (const struct tcphdr *)bp;
@@ -612,7 +613,7 @@ tcp_print(netdissect_options *ndo,
                                 break;
 
                         case TCPOPT_MPTCP:
-                           {
+                            {
                                 const u_char *snapend_save;
                                 int ret;
 
@@ -704,7 +705,17 @@ tcp_print(netdissect_options *ndo,
         /*
          * Decode payload if necessary.
          */
-        bp += TH_OFF(tp) * 4;
+        header_len = TH_OFF(tp) * 4;
+        /*
+         * Do a bounds check before decoding the payload.
+         * At least the header data is required.
+         */
+        if (!ND_TTEST_LEN(bp, header_len)) {
+                ND_PRINT(" [remaining caplen(%u) < header length(%u)]",
+                         ND_BYTES_AVAILABLE_AFTER(bp), header_len);
+                nd_trunc_longjmp(ndo);
+        }
+        bp += header_len;
         if ((flags & TH_RST) && ndo->ndo_vflag) {
                 print_tcp_rst_data(ndo, bp, length);
                 return;
diff --git a/tests/beep-oobr.out b/tests/beep-oobr.out
index ec572730ec925dbfeb252bac8bc2963f1c915f26..d495ad7fbce1d7b4f391cb38dae3071dbf8683cd 100644 (file)
--- a/tests/beep-oobr.out
+++ b/tests/beep-oobr.out
@@ -1,2 +1,2 @@
     1  05:27:12.808464432 unknown ip 3
-    2  05:27:12.808464432 IP6 3030:3030:3030:3030:3030:3030:3030:3030.10288 > 3030:3030:3030:3030:3030:3030:3030:3030.12336: Flags [.U], seq 808464432:808476740, ack 808464432, win 12336, urg 12336, options [eol], length 12308 BEEP (payload or undecoded)
+    2  05:27:12.808464432 IP6 3030:3030:3030:3030:3030:3030:3030:3030.10288 > 3030:3030:3030:3030:3030:3030:3030:3030.12336: Flags [.U], seq 808464432:808476740, ack 808464432, win 12336, urg 12336, options [eol], length 12308 [remaining caplen(24) < header length(28)] [|tcp]
[mirror] the TCPdump network dissector