Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.
Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.
+static const char vat_tstr[] = " [|vat]";
+static const char rtp_tstr[] = " [|rtp]";
+static const char rtcp_tstr[] = " [|rtcp]";
+static const char udp_tstr[] = " [|udp]";
+
struct rtcphdr {
uint16_t rh_flags; /* T:2 P:1 CNT:5 PT:8 */
uint16_t rh_len; /* length of message (in words) */
struct rtcphdr {
uint16_t rh_flags; /* T:2 P:1 CNT:5 PT:8 */
uint16_t rh_len; /* length of message (in words) */
vat_print(netdissect_options *ndo, const void *hdr, register const struct udphdr *up)
{
/* vat/vt audio */
vat_print(netdissect_options *ndo, const void *hdr, register const struct udphdr *up)
{
/* vat/vt audio */
- u_int ts = EXTRACT_16BITS(hdr);
+ u_int ts;
+
+ ND_TCHECK_16BITS((const u_int *)hdr);
+ ts = EXTRACT_16BITS(hdr);
if ((ts & 0xf060) != 0) {
/* probably vt */
if ((ts & 0xf060) != 0) {
/* probably vt */
+ ND_TCHECK_16BITS(&up->uh_ulen);
ND_PRINT((ndo, "udp/vt %u %d / %d",
(uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up)),
ts & 0x3ff, ts >> 10));
} else {
/* probably vat */
ND_PRINT((ndo, "udp/vt %u %d / %d",
(uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up)),
ts & 0x3ff, ts >> 10));
} else {
/* probably vat */
- uint32_t i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
- uint32_t i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+ uint32_t i0, i1;
+
+ ND_TCHECK_32BITS(&((const u_int *)hdr)[0]);
+ i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
+ ND_TCHECK_32BITS(&((const u_int *)hdr)[1]);
+ i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+ ND_TCHECK_16BITS(&up->uh_ulen);
ND_PRINT((ndo, "udp/vat %u c%d %u%s",
(uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8),
i0 & 0xffff,
ND_PRINT((ndo, "udp/vat %u c%d %u%s",
(uint32_t)(EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8),
i0 & 0xffff,
if (i0 & 0x3f000000)
ND_PRINT((ndo, " s%d", (i0 >> 24) & 0x3f));
}
if (i0 & 0x3f000000)
ND_PRINT((ndo, " s%d", (i0 >> 24) & 0x3f));
}
+
+trunc:
+ ND_PRINT((ndo, "%s", vat_tstr));
{
/* rtp v1 or v2 */
const u_int *ip = (const u_int *)hdr;
{
/* rtp v1 or v2 */
const u_int *ip = (const u_int *)hdr;
- u_int hasopt, hasext, contype, hasmarker;
- uint32_t i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
- uint32_t i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
- u_int dlen = EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8;
+ u_int hasopt, hasext, contype, hasmarker, dlen;
+ uint32_t i0, i1;
+ ND_TCHECK_32BITS(&((const u_int *)hdr)[0]);
+ i0 = EXTRACT_32BITS(&((const u_int *)hdr)[0]);
+ ND_TCHECK_32BITS(&((const u_int *)hdr)[1]);
+ i1 = EXTRACT_32BITS(&((const u_int *)hdr)[1]);
+ ND_TCHECK_16BITS(&up->uh_ulen);
+ dlen = EXTRACT_16BITS(&up->uh_ulen) - sizeof(*up) - 8;
ip += 2;
len >>= 2;
len -= 2;
ip += 2;
len >>= 2;
len -= 2;
i0 & 0xffff,
i1));
if (ndo->ndo_vflag) {
i0 & 0xffff,
i1));
if (ndo->ndo_vflag) {
+ ND_TCHECK_32BITS(&((const u_int *)hdr)[2]);
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&((const u_int *)hdr)[2])));
if (hasopt) {
u_int i2, optlen;
do {
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&((const u_int *)hdr)[2])));
if (hasopt) {
u_int i2, optlen;
do {
i2 = EXTRACT_32BITS(ip);
optlen = (i2 >> 16) & 0xff;
if (optlen == 0 || optlen > len) {
i2 = EXTRACT_32BITS(ip);
optlen = (i2 >> 16) & 0xff;
if (optlen == 0 || optlen > len) {
}
if (hasext) {
u_int i2, extlen;
}
if (hasext) {
u_int i2, extlen;
i2 = EXTRACT_32BITS(ip);
extlen = (i2 & 0xffff) + 1;
if (extlen > len) {
i2 = EXTRACT_32BITS(ip);
extlen = (i2 & 0xffff) + 1;
if (extlen > len) {
if (contype == 0x1f) /*XXX H.261 */
ND_PRINT((ndo, " 0x%04x", EXTRACT_32BITS(ip) >> 16));
}
if (contype == 0x1f) /*XXX H.261 */
ND_PRINT((ndo, " 0x%04x", EXTRACT_32BITS(ip) >> 16));
}
+
+trunc:
+ ND_PRINT((ndo, "%s", rtp_tstr));
uint16_t flags;
int cnt;
double ts, dts;
uint16_t flags;
int cnt;
double ts, dts;
- if ((const u_char *)(rh + 1) > ep) {
- ND_PRINT((ndo, " [|rtcp]"));
- return (ep);
- }
+ if ((const u_char *)(rh + 1) > ep)
+ goto trunc;
+ ND_TCHECK(*rh);
len = (EXTRACT_16BITS(&rh->rh_len) + 1) * 4;
flags = EXTRACT_16BITS(&rh->rh_flags);
cnt = (flags >> 8) & 0x1f;
len = (EXTRACT_16BITS(&rh->rh_len) + 1) * 4;
flags = EXTRACT_16BITS(&rh->rh_flags);
cnt = (flags >> 8) & 0x1f;
ND_PRINT((ndo, " [%d]", len));
if (ndo->ndo_vflag)
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rh->rh_ssrc)));
ND_PRINT((ndo, " [%d]", len));
if (ndo->ndo_vflag)
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rh->rh_ssrc)));
- if ((const u_char *)(sr + 1) > ep) {
- ND_PRINT((ndo, " [|rtcp]"));
- return (ep);
- }
+ if ((const u_char *)(sr + 1) > ep)
+ goto trunc;
+ ND_TCHECK(*sr);
ts = (double)(EXTRACT_32BITS(&sr->sr_ntp.upper)) +
((double)(EXTRACT_32BITS(&sr->sr_ntp.lower)) /
4294967296.0);
ts = (double)(EXTRACT_32BITS(&sr->sr_ntp.upper)) +
((double)(EXTRACT_32BITS(&sr->sr_ntp.lower)) /
4294967296.0);
if (cnt > 1)
ND_PRINT((ndo, " c%d", cnt));
while (--cnt >= 0) {
if (cnt > 1)
ND_PRINT((ndo, " c%d", cnt));
while (--cnt >= 0) {
- if ((const u_char *)(rr + 1) > ep) {
- ND_PRINT((ndo, " [|rtcp]"));
- return (ep);
- }
+ if ((const u_char *)(rr + 1) > ep)
+ goto trunc;
+ ND_TCHECK(*rr);
if (ndo->ndo_vflag)
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rr->rr_srcid)));
ts = (double)(EXTRACT_32BITS(&rr->rr_lsr)) / 65536.;
if (ndo->ndo_vflag)
ND_PRINT((ndo, " %u", EXTRACT_32BITS(&rr->rr_srcid)));
ts = (double)(EXTRACT_32BITS(&rr->rr_lsr)) / 65536.;
EXTRACT_32BITS(&rr->rr_dv), ts, dts));
}
return (hdr + len);
EXTRACT_32BITS(&rr->rr_dv), ts, dts));
}
return (hdr + len);
+
+trunc:
+ ND_PRINT((ndo, "%s", rtcp_tstr));
+ return ep;
}
static int udp_cksum(netdissect_options *ndo, register const struct ip *ip,
}
static int udp_cksum(netdissect_options *ndo, register const struct ip *ip,
ip6 = NULL;
if (!ND_TTEST(up->uh_dport)) {
udpipaddr_print(ndo, ip, -1, -1);
ip6 = NULL;
if (!ND_TTEST(up->uh_dport)) {
udpipaddr_print(ndo, ip, -1, -1);
- ND_PRINT((ndo, "[|udp]"));
- return;
}
sport = EXTRACT_16BITS(&up->uh_sport);
}
sport = EXTRACT_16BITS(&up->uh_sport);
}
if (!ND_TTEST(up->uh_ulen)) {
udpipaddr_print(ndo, ip, sport, dport);
}
if (!ND_TTEST(up->uh_ulen)) {
udpipaddr_print(ndo, ip, sport, dport);
- ND_PRINT((ndo, "[|udp]"));
- return;
}
ulen = EXTRACT_16BITS(&up->uh_ulen);
if (ulen < sizeof(struct udphdr)) {
}
ulen = EXTRACT_16BITS(&up->uh_ulen);
if (ulen < sizeof(struct udphdr)) {
cp = (const u_char *)(up + 1);
if (cp > ndo->ndo_snapend) {
udpipaddr_print(ndo, ip, sport, dport);
cp = (const u_char *)(up + 1);
if (cp > ndo->ndo_snapend) {
udpipaddr_print(ndo, ip, sport, dport);
- ND_PRINT((ndo, "[|udp]"));
- return;
}
if (ndo->ndo_packettype) {
}
if (ndo->ndo_packettype) {
else
ND_PRINT((ndo, "UDP, length %u", ulen));
}
else
ND_PRINT((ndo, "UDP, length %u", ulen));
}
+ return;
+
+trunc:
+ ND_PRINT((ndo, "%s", udp_tstr));
juniper_header-heapoverflow juniper_header-heapoverflow.pcap juniper_header-heapoverflow.out -t -v -n
tftp-heapoverflow tftp-heapoverflow.pcap tftp-heapoverflow.out -t -v -n
relts-0x80000000 relts-0x80000000.pcap relts-0x80000000.out -t -v -n
juniper_header-heapoverflow juniper_header-heapoverflow.pcap juniper_header-heapoverflow.out -t -v -n
tftp-heapoverflow tftp-heapoverflow.pcap tftp-heapoverflow.out -t -v -n
relts-0x80000000 relts-0x80000000.pcap relts-0x80000000.out -t -v -n
+
+# RTP tests
+# fuzzed pcap
+rtp-seg-fault-1 rtp-seg-fault-1.pcap rtp-seg-fault-1.out -t -v -T rtp
+rtp-seg-fault-2 rtp-seg-fault-2.pcap rtp-seg-fault-2.out -t -v -T rtp
--- /dev/null
+IP (tos 0x0, ttl 255, id 158, offset 0, flags [DF], proto UDP (17), length 37, bad cksum d7e0 (->9cf8)!)
+ 208.21.2.184.1512 > 10.1.1.99.53: udp/rtp 57323 c31 +* 4652 3815804996 [|rtp]
--- /dev/null
+IP (tos 0x0, ttl 252, id 8264, offset 0, flags [none], proto UDP (17), length 100, bad cksum f803 (->c00f)!)
+ 208.21.2.184.1512 > 10.1.1.99.514: udp/rtp -12 c31 + 31926 3881022529 455123981 [|rtp]
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
- 48.48.48.48.12336 > 48.48.48.48.12336: [|udp]
+ 48.48.48.48.12336 > 48.48.48.48.12336: [|udp]
projects / tcpdump / commitdiff
