]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc9abd5)
lwres: Fix an undefined behavior in pointer arithmetic
authorBill Fenner <[email protected]>
Tue, 11 Oct 2022 20:05:55 +0000 (13:05 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Tue, 2 May 2023 19:13:19 +0000 (21:13 +0200)
Check for truncation before doing pointer arithmetic to point
to the end of the packet.

print-lwres.c:294:10: runtime error: addition of unsigned offset to
  0xf3b032be overflowed to 0x9652d560
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-lwres.c:294:10

[Part of the PR #1012]

print-lwres.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/lwres-pointer-arithmetic-ub.out [new file with mode: 0644] patch | blob
tests/lwres-pointer-arithmetic-ub.pcap [new file with mode: 0644] patch | blob

diff --git a/print-lwres.c b/print-lwres.c
index f6ed8f3cfd878dc1406556932910747216fd0fa6..b8f9b49ae598c3b410de1bfa31032b0b5f54310b 100644 (file)
--- a/print-lwres.c
+++ b/print-lwres.c
@@ -291,7 +291,9 @@ lwres_print(netdissect_options *ndo,
        if (ndo->ndo_vflag || v != LWRES_LWPACKETVERSION_0)
                ND_PRINT(" v%u", v);
        if (v != LWRES_LWPACKETVERSION_0) {
-               s = bp + GET_BE_U_4(np->length);
+               uint32_t pkt_len = GET_BE_U_4(np->length);
+               ND_TCHECK_LEN(bp, pkt_len);
+               s = bp + pkt_len;
                goto tail;
        }
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index bc23b5487bb54aa40cc803caab6145e1ff79ff96..ef0e6f3e0c86daa9d0089a2b8a5dddfa2b9a20d3 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -927,3 +927,4 @@ pb_nhrp_1                   pb_nhrp_1.pcap                  pb_nhrp_1.out   -v
 # Undefined behavior tests
 ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out
 ip6-snmp-oid-unsigned ip6-snmp-oid-unsigned.pcap ip6-snmp-oid-unsigned.out
+lwres-pointer-arithmetic-ub lwres-pointer-arithmetic-ub.pcap lwres-pointer-arithmetic-ub.out
diff --git a/tests/lwres-pointer-arithmetic-ub.out b/tests/lwres-pointer-arithmetic-ub.out
new file mode 100644 (file)
index 0000000..f4953f4
--- /dev/null
+++ b/tests/lwres-pointer-arithmetic-ub.out
@@ -0,0 +1 @@
+    1  14:31:29.364332 IP6 fe80:0:10ff:15:1800:1a00:0:100.921 > a00:300:115:1800:1a00:f4:100:a00.0:  lwres v41634 [|lwres]
diff --git a/tests/lwres-pointer-arithmetic-ub.pcap b/tests/lwres-pointer-arithmetic-ub.pcap
new file mode 100644 (file)
index 0000000..095fcbc
Binary files /dev/null and b/tests/lwres-pointer-arithmetic-ub.pcap differ
[mirror] the TCPdump network dissector