In aodv_extension() do a bounds check on the extension header before we
look at it.
This fixes a buffer over-read discovered by Kamil Frankowicz.
Add a test using the capture file supplied by the reporter(s).
While we're at it, add the RFC number, and check the validity of the
length for the Hello extension.
#include "addrtoname.h"
#include "extract.h"
-
+/*
+ * RFC 3561
+ */
struct aodv_rreq {
uint8_t rreq_type; /* AODV message type (1) */
uint8_t rreq_flags; /* various flags */
{
const struct aodv_hello *ah;
+ ND_TCHECK(*ep);
switch (ep->type) {
case AODV_EXT_HELLO:
ah = (const struct aodv_hello *)(const void *)ep;
ND_TCHECK(*ah);
if (length < sizeof(struct aodv_hello))
goto trunc;
+ if (ep->length < 4) {
+ ND_PRINT((ndo, "\n\text HELLO - bad length %u", ep->length));
+ break;
+ }
ND_PRINT((ndo, "\n\text HELLO %ld ms",
(unsigned long)EXTRACT_32BITS(&ah->interval)));
break;
hoobr_lookup_nsap hoobr_lookup_nsap.pcap hoobr_lookup_nsap.out
hoobr_rt6_print hoobr_rt6_print.pcap hoobr_rt6_print.out
hoobr_nfs_printfh hoobr_nfs_printfh.pcap hoobr_nfs_printfh.out
+hoobr_aodv_extension hoobr_aodv_extension.pcap hoobr_aodv_extension.out
# bad packets from Wilfried Kirsch
slip-bad-direction slip-bad-direction.pcap slip-bad-direction.out -ve
--- /dev/null
+IP 48.48.48.48.654 > 48.48.48.48.12336: aodv rrep 12308 prefix 16 hops 48
+ dst 48.48.48.48 dseq 808464432 src 48.48.48.48 808464432 ms [|hello]
projects / tcpdump / commitdiff
