This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.
Add a test using the capture file supplied by the reporter(s).
While we're at it:
Add a comment giving the RFC for IPv6 mobility headers.
Clean up some bounds checks to make it clearer what they're checking, by
matching the subsequent EXTRACT_ calls or memcpy.
For the binding update, if none of the flag bits are set, don't check
the individual flag bits.
*/
/* \summary: IPv6 mobility printer */
*/
/* \summary: IPv6 mobility printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#ifdef HAVE_CONFIG_H
#include "config.h"
case IP6M_CAREOF_TEST_INIT:
hlen = IP6M_MINLEN;
if (ndo->ndo_vflag) {
case IP6M_CAREOF_TEST_INIT:
hlen = IP6M_MINLEN;
if (ndo->ndo_vflag) {
- ND_TCHECK2(*mh, hlen + 8);
+ ND_TCHECK_32BITS(&bp[hlen + 4]);
ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
type == IP6M_HOME_TEST_INIT ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
ND_PRINT((ndo, " nonce id=0x%x", EXTRACT_16BITS(&mh->ip6m_data16[0])));
hlen = IP6M_MINLEN;
if (ndo->ndo_vflag) {
ND_PRINT((ndo, " nonce id=0x%x", EXTRACT_16BITS(&mh->ip6m_data16[0])));
hlen = IP6M_MINLEN;
if (ndo->ndo_vflag) {
- ND_TCHECK2(*mh, hlen + 8);
+ ND_TCHECK_32BITS(&bp[hlen + 4]);
ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
type == IP6M_HOME_TEST ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
ND_PRINT((ndo, " %s Init Cookie=%08x:%08x",
type == IP6M_HOME_TEST ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
}
hlen += 8;
if (ndo->ndo_vflag) {
}
hlen += 8;
if (ndo->ndo_vflag) {
- ND_TCHECK2(*mh, hlen + 8);
+ ND_TCHECK_32BITS(&bp[hlen + 4]);
ND_PRINT((ndo, " %s Keygen Token=%08x:%08x",
type == IP6M_HOME_TEST ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
ND_PRINT((ndo, " %s Keygen Token=%08x:%08x",
type == IP6M_HOME_TEST ? "Home" : "Care-of",
EXTRACT_32BITS(&bp[hlen]),
ND_TCHECK(mh->ip6m_data16[0]);
ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&mh->ip6m_data16[0])));
hlen = IP6M_MINLEN;
ND_TCHECK(mh->ip6m_data16[0]);
ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&mh->ip6m_data16[0])));
hlen = IP6M_MINLEN;
- ND_TCHECK2(*mh, hlen + 1);
- if (bp[hlen] & 0xf0)
+ ND_TCHECK_16BITS(&bp[hlen]);
+ if (bp[hlen] & 0xf0) {
- if (bp[hlen] & 0x80)
- ND_PRINT((ndo, "A"));
- if (bp[hlen] & 0x40)
- ND_PRINT((ndo, "H"));
- if (bp[hlen] & 0x20)
- ND_PRINT((ndo, "L"));
- if (bp[hlen] & 0x10)
- ND_PRINT((ndo, "K"));
+ if (bp[hlen] & 0x80)
+ ND_PRINT((ndo, "A"));
+ if (bp[hlen] & 0x40)
+ ND_PRINT((ndo, "H"));
+ if (bp[hlen] & 0x20)
+ ND_PRINT((ndo, "L"));
+ if (bp[hlen] & 0x10)
+ ND_PRINT((ndo, "K"));
+ }
/* Reserved (4bits) */
hlen += 1;
/* Reserved (8bits) */
hlen += 1;
/* Reserved (4bits) */
hlen += 1;
/* Reserved (8bits) */
hlen += 1;
- ND_TCHECK2(*mh, hlen + 2);
+ ND_TCHECK_16BITS(&bp[hlen]);
/* units of 4 secs */
ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
hlen += 2;
/* units of 4 secs */
ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
hlen += 2;
case IP6M_BINDING_ACK:
ND_TCHECK(mh->ip6m_data8[0]);
ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
case IP6M_BINDING_ACK:
ND_TCHECK(mh->ip6m_data8[0]);
ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
+ ND_TCHECK(mh->ip6m_data8[1]);
if (mh->ip6m_data8[1] & 0x80)
ND_PRINT((ndo, " K"));
/* Reserved (7bits) */
hlen = IP6M_MINLEN;
if (mh->ip6m_data8[1] & 0x80)
ND_PRINT((ndo, " K"));
/* Reserved (7bits) */
hlen = IP6M_MINLEN;
- ND_TCHECK2(*mh, hlen + 2);
+ ND_TCHECK_16BITS(&bp[hlen]);
ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&bp[hlen])));
hlen += 2;
ND_PRINT((ndo, " seq#=%u", EXTRACT_16BITS(&bp[hlen])));
hlen += 2;
- ND_TCHECK2(*mh, hlen + 2);
+ ND_TCHECK_16BITS(&bp[hlen]);
/* units of 4 secs */
ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
hlen += 2;
/* units of 4 secs */
ND_PRINT((ndo, " lifetime=%u", EXTRACT_16BITS(&bp[hlen]) << 2));
hlen += 2;
ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
/* Reserved */
hlen = IP6M_MINLEN;
ND_PRINT((ndo, " status=%u", mh->ip6m_data8[0]));
/* Reserved */
hlen = IP6M_MINLEN;
- ND_TCHECK2(*mh, hlen + 16);
+ ND_TCHECK2(bp[hlen], 16);
ND_PRINT((ndo, " homeaddr %s", ip6addr_string(ndo, &bp[hlen])));
hlen += 16;
break;
ND_PRINT((ndo, " homeaddr %s", ip6addr_string(ndo, &bp[hlen])));
hlen += 16;
break;
decnet-shorthdr-oobr decnet-shorthdr-oobr.pcap decnet-shorthdr-oobr.out
isakmp-3948-oobr-2 isakmp-3948-oobr-2.pcap isakmp-3948-oobr-2.out
ieee802.11_rates_oobr ieee802.11_rates_oobr.pcap ieee802.11_rates_oobr.out
decnet-shorthdr-oobr decnet-shorthdr-oobr.pcap decnet-shorthdr-oobr.out
isakmp-3948-oobr-2 isakmp-3948-oobr-2.pcap isakmp-3948-oobr-2.out
ieee802.11_rates_oobr ieee802.11_rates_oobr.pcap ieee802.11_rates_oobr.out
+ipv6-mobility-header-oobr ipv6-mobility-header-oobr.pcap ipv6-mobility-header-oobr.out
# bad packets from Kamil Frankowicz
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
# bad packets from Kamil Frankowicz
snmp-heapoverflow-1 snmp-heapoverflow-1.pcap snmp-heapoverflow-1.out
--- /dev/null
+IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: mobility: BA status=48[|MOBILITY]
projects / tcpdump / commitdiff
