]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5c13f55)
nhrp: fix infinite loop on malformed packets.
authorGuy Harris <[email protected]>
Tue, 25 Apr 2023 20:37:56 +0000 (13:37 -0700)
committerGuy Harris <[email protected]>
Tue, 25 Apr 2023 20:37:56 +0000 (13:37 -0700)
If a CIE doesn't fit in the remainder of the mandatory part, return the
length of that remainder, so that the loop processing the CIE
terminates.

Add capture that produced the infinite loop.

print-nhrp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/pb_nhrp_1.out [new file with mode: 0644] patch | blob
tests/pb_nhrp_1.pcap [new file with mode: 0644] patch | blob

diff --git a/print-nhrp.c b/print-nhrp.c
index 800d5c53425d18a039015ada7be3cd6ce475cab3..6947a7ca74d60a001c461500f007f6752e16ae13 100644 (file)
--- a/print-nhrp.c
+++ b/print-nhrp.c
@@ -480,5 +480,15 @@ nhrp_print_cie(netdissect_options *ndo, const u_char *data, uint16_t mand_part_l
 
 invalid:
        nd_print_invalid(ndo);
+
+       /*
+        * We get here because this CIE goes past thE remaining length,
+        * of the mandatory part.  We've reported that error; we now
+        * assignt he insufficnetly-large remaining piece of the
+        * mandatory part to this CIE, so that this CIE finishes up
+        * the mandatory part, and the loop processing the CIEs
+        * terminates.  There cannot be any CIEs after this one.
+        */
+       cie_len += mand_part_len;
        return (cie_len);
 }
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 6dd75921da97131046dbf61e823718b890441103..dbc38425e36c7d0ac4c749668e45a260fe8daf98 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -918,6 +918,7 @@ NHRP_registration           NHRP_registration.pcap          NHRP_registration.out   -v
 NHRP-responder-address         NHRP-responder-address.pcap     NHRP-responder-address.out      -v
 nhrp-trace                     nhrp-trace.pcap                 nhrp-trace.out  -v
 nhrp                           nhrp.pcap                       nhrp.out        -v
+pb_nhrp_1                      pb_nhrp_1.pcap                  pb_nhrp_1.out   -v
 
 # Undefined behavior tests
 ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out
diff --git a/tests/pb_nhrp_1.out b/tests/pb_nhrp_1.out
new file mode 100644 (file)
index 0000000..a1b5f94
--- /dev/null
+++ b/tests/pb_nhrp_1.out
@@ -0,0 +1,2 @@
+    1  13:37:05.16842874 IP (tos 0xc, id 0, offset 0, flags [rsvd], proto unknown (54), length 64, options (unknown 107 [bad length 37]), bad cksum 101 (->41a4)!)
+    62.41.66.144 > 191.215.63.14: NHRP: res request, id 0, hopcnt 103, unknown-nbma-addr-family-5dc9 (01), proto type 007b 67 -> 49 [remaining mandatory part length 8 < 12] (invalid)
diff --git a/tests/pb_nhrp_1.pcap b/tests/pb_nhrp_1.pcap
new file mode 100644 (file)
index 0000000..3579194
Binary files /dev/null and b/tests/pb_nhrp_1.pcap differ
[mirror] the TCPdump network dissector