TCP: put TCP-AO option decoding right

As it was correctly pointed out in GitHub issue #516, the TCPOPT_TCPAO
(formerly TCPOPT_AUTH) case had an issue with option length processing,
though without significant consequences thanks to a check elsewhere.
Besides that, the old code (introduced in 2005) decoded a structure
similar to a proposed encoding variant of the early (first published in
2007) revisions of the Internet-Draft but different from the encoding
of RFC 5925 (published in 2010). These issues are now addressed and the
TCP option renamed to TCP-AO.

diff --git a/print-tcp.c b/print-tcp.c
index 35b18492f8cb018c08cd8e5cb4f5e1b62ca15a60..61fb93e66c3314a8903153ac05c1f16e1a8e20a0 100644 (file)
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -129,7 +129,7 @@ static const struct tok tcp_option_values[] = {
         { TCPOPT_SIGNATURE, "md5" },
         { TCPOPT_SCPS, "scps" },
         { TCPOPT_UTO, "uto" },
-        { TCPOPT_AUTH, "enhanced auth" },
+        { TCPOPT_TCPAO, "tcp-ao" },
         { TCPOPT_MPTCP, "mptcp" },
         { TCPOPT_FASTOPEN, "tfo" },
         { TCPOPT_EXPERIMENT2, "exp" },
@@ -544,16 +544,26 @@ tcp_print(netdissect_options *ndo,
                                 ND_PRINT((ndo, " cap %02x id %u", cp[0], cp[1]));
                                 break;
 
-                        case TCPOPT_AUTH:
-                                ND_PRINT((ndo, " keyid %d", *cp++));
-                                datalen = len - 3;
-                                for (i = 0; i < datalen; ++i) {
-                                        LENCHECK(i);
-                                        ND_PRINT((ndo, "%02x", cp[i]));
+                        case TCPOPT_TCPAO:
+                                datalen = len - 2;
+                                LENCHECK(datalen);
+                                /* RFC 5925 Section 2.2:
+                                 * "The Length value MUST be greater than or equal to 4."
+                                 * (This includes the Kind and Length fields already processed
+                                 * at this point.)
+                                 */
+                                if (datalen < 2) {
+                                        ND_PRINT((ndo, " invalid"));
+                                } else {
+                                        ND_PRINT((ndo, " keyid %u rnextkeyid %u", cp[0], cp[1]));
+                                        if (datalen > 2) {
+                                                ND_PRINT((ndo, " mac "));
+                                                for (i = 2; i < datalen; i++)
+                                                        ND_PRINT((ndo, "%02x", cp[i]));
+                                        }
                                 }
                                 break;
 
-
                         case TCPOPT_EOL:
                         case TCPOPT_NOP:
                         case TCPOPT_SACKOK:

diff --git a/tcp.h b/tcp.h
index 1084db9a2250dcd8ab631319b998b7d0c7c335ac..912b5e820ca6de542d51b4f5ba0f90086eb40188 100644 (file)
--- a/tcp.h
+++ b/tcp.h
@@ -84,7 +84,7 @@ struct tcphdr {
 #define TCPOPT_SCPS            20      /* SCPS-TP (CCSDS 714.0-B-2) */
 #define        TCPOPT_UTO              28      /* tcp user timeout (rfc5482) */
 #define           TCPOLEN_UTO                  4
-#define TCPOPT_AUTH            29      /* Enhanced AUTH option (rfc5925) */
+#define TCPOPT_TCPAO           29      /* TCP authentication option (rfc5925) */
 #define        TCPOPT_MPTCP            30      /* MPTCP options */
 #define TCPOPT_FASTOPEN                34      /* TCP Fast Open (rfc7413) */
 #define TCPOPT_EXPERIMENT2     254     /* experimental headers (rfc4727) */