From: Francois-Xavier Le Bail Date: Mon, 6 May 2024 09:20:27 +0000 (+0200) Subject: frag6: Fix invalid 32-bit versus 64-bit printouts X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/067f7dd17dc39144c4b292a13ceea53610b4b5e0 frag6: Fix invalid 32-bit versus 64-bit printouts Print "[length < 0] (invalid)" when fragment length is negative. In this case, e.g. when IPv6 payload length is zero, the 32-bit and 64-bit printouts were different. Example: 32-bit: frag (0x80000074:1280|4294967288) --- 64-bit: frag (0x80000074:1280|18446744073709551608) Add a test file. --- diff --git a/print-frag6.c b/print-frag6.c index 773e49ab..a4b3be0d 100644 --- a/print-frag6.c +++ b/print-frag6.c @@ -43,10 +43,14 @@ frag6_print(netdissect_options *ndo, const u_char *bp, const u_char *bp2) ND_PRINT("frag ("); if (ndo->ndo_vflag) ND_PRINT("0x%08x:", GET_BE_U_4(dp->ip6f_ident)); - ND_PRINT("%u|%zu)", - GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK, - sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen) - - (bp - bp2) - sizeof(struct ip6_frag)); + ND_PRINT("%u|", GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK); + if ((bp - bp2) + sizeof(struct ip6_frag) > + sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen)) + ND_PRINT("[length < 0] (invalid))"); + else + ND_PRINT("%zu)", + sizeof(struct ip6_hdr) + GET_BE_U_2(ip6->ip6_plen) - + (bp - bp2) - sizeof(struct ip6_frag)); /* it is meaningless to decode non-first fragment */ if ((GET_BE_U_2(dp->ip6f_offlg) & IP6F_OFF_MASK) != 0) diff --git a/tests/TESTLIST b/tests/TESTLIST index f6b217c8..dd00127a 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -386,6 +386,7 @@ ipv6_invalid_length_2 ipv6_invalid_length_2.pcap ipv6_invalid_length_2.out -v ipv6_jumbogram_invalid_length ipv6_jumbogram_invalid_length.pcap ipv6_jumbogram_invalid_length.out -v ipv6_39_byte_header ipv6_39_byte_header.pcap ipv6_39_byte_header.out -v ipv6_missing_jumbo_payload_option ipv6_missing_jumbo_payload_option.pcap ipv6_missing_jumbo_payload_option.out +ipv6_frag6_negative_len ipv6_frag6_negative_len.pcap ipv6_frag6_negative_len.out -v # Loopback/CTP test case loopback loopback.pcap loopback.out diff --git a/tests/ipv6_frag6_negative_len.out b/tests/ipv6_frag6_negative_len.out new file mode 100644 index 00000000..b56a5074 --- /dev/null +++ b/tests/ipv6_frag6_negative_len.out @@ -0,0 +1 @@ + 1 1975-11-02 10:29:20.131862 IP6 (class 0x50, flowlabel 0x00073, hlim 28, next-header Fragment (44) payload length: 0) 7fff:ffff:c3b2:a102:1305:80:38:2949 > 9675:86dd:7300:2c:1c7f:ffff:ffc3:b2a1: frag (0x80000074:1280|[length < 0] (invalid)) diff --git a/tests/ipv6_frag6_negative_len.pcap b/tests/ipv6_frag6_negative_len.pcap new file mode 100644 index 00000000..42435687 Binary files /dev/null and b/tests/ipv6_frag6_negative_len.pcap differ