CVE-2016-7934,7935,7937/RTP: Fix two segmentation faults

Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.

Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.

diff --git a/print-udp.c b/print-udp.c
index 5cdd64bdb34349fe7697b024e272859dd7442da5..ada3c21d2f06f4b62c6bf7ee0fe0d7e9ef9f7d01 100644 (file)
--- a/print-udp.c
+++ b/print-udp.c
@@ -42,6 +42,11 @@
 
 #include "nfs.h"
 
+static const char vat_tstr[] = " [|vat]";
+static const char rtp_tstr[] = " [|rtp]";
+static const char rtcp_tstr[] = " [|rtcp]";
+static const char udp_tstr[] = " [|udp]";
+
 struct rtcphdr {
        uint16_t rh_flags;      /* T:2 P:1 CNT:5 PT:8 */
        uint16_t rh_len;        /* length of message (in words) */
@@ -95,16 +100,25 @@ static void
 vat_print(netdissect_options *ndo, const void *hdr, register const struct udphdr *up)
 {
        /* vat/vt audio */
-       u_int ts = EXTRACT_16BITS(hdr);
+       u_int ts;
+
+       ND_TCHECK_16BITS((const u_int *)hdr);
+       ts = EXTRACT_16BITS(hdr);
        if ((ts & 0xf060) != 0) {
                /* probably vt */
+               ND_TCHECK_16BITS(&up->uh_ulen);
                ND_PRINT((ndo, "udp/vt %u %d / %d",
                             (uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up)),
                             ts & 0x3ff, ts >> 10));
        } else {
                /* probably vat */
-               uint32_t i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
-               uint32_t i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+               uint32_t i0, i1;
+
+               ND_TCHECK_32BITS(&((const u_int *)hdr)[0]);
+               i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
+               ND_TCHECK_32BITS(&((const u_int *)hdr)[1]);
+               i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+               ND_TCHECK_16BITS(&up->uh_ulen);
                ND_PRINT((ndo, "udp/vat %u c%d %u%s",
                        (uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8),
                        i0 & 0xffff,
@@ -115,6 +129,9 @@ vat_print(netdissect_options *ndo, const void *hdr, register const struct udphdr
                if (i0 & 0x3f000000)
                        ND_PRINT((ndo, " s%d", (i0 >> 24) & 0x3f));
        }
+
+trunc:
+       ND_PRINT((ndo, "%s", vat_tstr));
 }
 
 static void
@@ -123,12 +140,16 @@ rtp_print(netdissect_options *ndo, const void *hdr, u_int len,
 {
        /* rtp v1 or v2 */
        const u_int *ip = (const u_int *)hdr;
-       u_int hasopt, hasext, contype, hasmarker;
-       uint32_t i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
-       uint32_t i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
-       u_int dlen = EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8;
+       u_int hasopt, hasext, contype, hasmarker, dlen;
+       uint32_t i0, i1;
        const char * ptype;
 
+       ND_TCHECK_32BITS(&((const u_int *)hdr)[0]);
+       i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
+       ND_TCHECK_32BITS(&((const u_int *)hdr)[1]);
+       i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+       ND_TCHECK_16BITS(&up->uh_ulen);
+       dlen = EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8;
        ip += 2;
        len >>= 2;
        len -= 2;
@@ -159,10 +180,12 @@ rtp_print(netdissect_options *ndo, const void *hdr, u_int len,
                i0 & 0xffff,
                i1));
        if (ndo->ndo_vflag) {
+               ND_TCHECK_32BITS(&((const u_int *)hdr)[2]);
                ND_PRINT((ndo, " %u", EXTRACT_32BITS(&((const u_int *)hdr)[2])));
                if (hasopt) {
                        u_int i2, optlen;
                        do {
+                               ND_TCHECK2(*ip, 4);
                                i2 = EXTRACT_32BITS(ip);
                                optlen = (i2 >> 16) & 0xff;
                                if (optlen == 0 || optlen > len) {
@@ -175,6 +198,7 @@ rtp_print(netdissect_options *ndo, const void *hdr, u_int len,
                }
                if (hasext) {
                        u_int i2, extlen;
+                       ND_TCHECK2(*ip, 4);
                        i2 = EXTRACT_32BITS(ip);
                        extlen = (i2 & 0xffff) + 1;
                        if (extlen > len) {
@@ -183,9 +207,13 @@ rtp_print(netdissect_options *ndo, const void *hdr, u_int len,
                        }
                        ip += extlen;
                }
+               ND_TCHECK(*ip);
                if (contype == 0x1f) /*XXX H.261 */
                        ND_PRINT((ndo, " 0x%04x", EXTRACT_32BITS(ip) >> 16));
        }
+
+trunc:
+       ND_PRINT((ndo, "%s", rtp_tstr));
 }
 
 static const u_char *
@@ -199,10 +227,9 @@ rtcp_print(netdissect_options *ndo, const u_char *hdr, const u_char *ep)
        uint16_t flags;
        int cnt;
        double ts, dts;
-       if ((const u_char *)(rh + 1) > ep) {
-               ND_PRINT((ndo, " [|rtcp]"));
-               return (ep);
-       }
+       if ((const u_char *)(rh + 1) > ep)
+               goto trunc;
+       ND_TCHECK(*rh);
        len = (EXTRACT_16BITS(&rh->rh_len) + 1) * 4;
        flags = EXTRACT_16BITS(&rh->rh_flags);
        cnt = (flags >> 8) & 0x1f;
@@ -214,10 +241,9 @@ rtcp_print(netdissect_options *ndo, const u_char *hdr, const u_char *ep)
                        ND_PRINT((ndo, " [%d]", len));
                if (ndo->ndo_vflag)
                        ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rh->rh_ssrc)));
-               if ((const u_char *)(sr + 1) > ep) {
-                       ND_PRINT((ndo, " [|rtcp]"));
-                       return (ep);
-               }
+               if ((const u_char *)(sr + 1) > ep)
+                       goto trunc;
+               ND_TCHECK(*sr);
                ts = (double)(EXTRACT_32BITS(&sr->sr_ntp.upper)) +
                    ((double)(EXTRACT_32BITS(&sr->sr_ntp.lower)) /
                    4294967296.0);
@@ -253,10 +279,9 @@ rtcp_print(netdissect_options *ndo, const u_char *hdr, const u_char *ep)
        if (cnt > 1)
                ND_PRINT((ndo, " c%d", cnt));
        while (--cnt >= 0) {
-               if ((const u_char *)(rr + 1) > ep) {
-                       ND_PRINT((ndo, " [|rtcp]"));
-                       return (ep);
-               }
+               if ((const u_char *)(rr + 1) > ep)
+                       goto trunc;
+               ND_TCHECK(*rr);
                if (ndo->ndo_vflag)
                        ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rr->rr_srcid)));
                ts = (double)(EXTRACT_32BITS(&rr->rr_lsr)) / 65536.;
@@ -267,6 +292,10 @@ rtcp_print(netdissect_options *ndo, const u_char *hdr, const u_char *ep)
                    EXTRACT_32BITS(&rr->rr_dv), ts, dts));
        }
        return (hdr + len);
+
+trunc:
+       ND_PRINT((ndo, "%s", rtcp_tstr));
+       return ep;
 }
 
 static int udp_cksum(netdissect_options *ndo, register const struct ip *ip,
@@ -358,8 +387,7 @@ udp_print(netdissect_options *ndo, register const u_char *bp, u_int length,
                ip6 = NULL;
        if (!ND_TTEST(up->uh_dport)) {
                udpipaddr_print(ndo, ip, -1, -1);
-               ND_PRINT((ndo, "[|udp]"));
-               return;
+               goto trunc;
        }
 
        sport = EXTRACT_16BITS(&up->uh_sport);
@@ -372,8 +400,7 @@ udp_print(netdissect_options *ndo, register const u_char *bp, u_int length,
        }
        if (!ND_TTEST(up->uh_ulen)) {
                udpipaddr_print(ndo, ip, sport, dport);
-               ND_PRINT((ndo, "[|udp]"));
-               return;
+               goto trunc;
        }
        ulen = EXTRACT_16BITS(&up->uh_ulen);
        if (ulen < sizeof(struct udphdr)) {
@@ -389,8 +416,7 @@ udp_print(netdissect_options *ndo, register const u_char *bp, u_int length,
        cp = (const u_char *)(up + 1);
        if (cp > ndo->ndo_snapend) {
                udpipaddr_print(ndo, ip, sport, dport);
-               ND_PRINT((ndo, "[|udp]"));
-               return;
+               goto trunc;
        }
 
        if (ndo->ndo_packettype) {
@@ -677,6 +703,10 @@ udp_print(netdissect_options *ndo, register const u_char *bp, u_int length,
                else
                        ND_PRINT((ndo, "UDP, length %u", ulen));
        }
+       return;
+
+trunc:
+       ND_PRINT((ndo, "%s", udp_tstr));
 }
 
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
index e81e008c6c77d56d588f2db1ef57488c19450681..8fd896920ecf3d7e5b838fdb6462eb245c711601 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -410,3 +410,8 @@ arp-too-long-tha    arp-too-long-tha.pcap   arp-too-long-tha.out    -t -v -n
 juniper_header-heapoverflow    juniper_header-heapoverflow.pcap        juniper_header-heapoverflow.out -t -v -n
 tftp-heapoverflow      tftp-heapoverflow.pcap  tftp-heapoverflow.out   -t -v -n
 relts-0x80000000       relts-0x80000000.pcap   relts-0x80000000.out    -t -v -n
+
+# RTP tests
+# fuzzed pcap
+rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -t -v -T rtp
+rtp-seg-fault-2  rtp-seg-fault-2.pcap  rtp-seg-fault-2.out  -t -v -T rtp

diff --git a/tests/rtp-seg-fault-1.out b/tests/rtp-seg-fault-1.out
new file mode 100644 (file)
index 0000000..d18ab8c
--- /dev/null
+++ b/tests/rtp-seg-fault-1.out
@@ -0,0 +1,2 @@
+IP (tos 0x0, ttl 255, id 158, offset 0, flags [DF], proto UDP (17), length 37, bad cksum d7e0 (->9cf8)!)
+    208.21.2.184.1512 > 10.1.1.99.53: udp/rtp 57323 c31 +* 4652 3815804996 [|rtp]

diff --git a/tests/rtp-seg-fault-1.pcap b/tests/rtp-seg-fault-1.pcap
new file mode 100644 (file)
index 0000000..5a0510c
Binary files /dev/null and b/tests/rtp-seg-fault-1.pcap differ

diff --git a/tests/rtp-seg-fault-2.out b/tests/rtp-seg-fault-2.out
new file mode 100644 (file)
index 0000000..1c504da
--- /dev/null
+++ b/tests/rtp-seg-fault-2.out
@@ -0,0 +1,2 @@
+IP (tos 0x0, ttl 252, id 8264, offset 0, flags [none], proto UDP (17), length 100, bad cksum f803 (->c00f)!)
+    208.21.2.184.1512 > 10.1.1.99.514: udp/rtp -12 c31 + 31926 3881022529 455123981 [|rtp]

diff --git a/tests/rtp-seg-fault-2.pcap b/tests/rtp-seg-fault-2.pcap
new file mode 100644 (file)
index 0000000..77fefbf
Binary files /dev/null and b/tests/rtp-seg-fault-2.pcap differ

diff --git a/tests/udp-length-heapoverflow.out b/tests/udp-length-heapoverflow.out
index 16dbdc947b0500e0598f912e92b18c9bd01e2b9d..1515117a74a730d38cf87c173edebe5148430da5 100644 (file)
--- a/tests/udp-length-heapoverflow.out
+++ b/tests/udp-length-heapoverflow.out
@@ -1,2 +1,2 @@
 IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
-    48.48.48.48.12336 > 48.48.48.48.12336: [|udp]
+    48.48.48.48.12336 > 48.48.48.48.12336:  [|udp]