From: Guy Harris Date: Wed, 12 Nov 2014 01:24:12 +0000 (-0800) Subject: Add initial bounds check, get rid of union aodv. X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/1e2972d729659cc2d95e67d364473488effa0390 Add initial bounds check, get rid of union aodv. Fetch the type field without using a structure, and check to make sure it's not past the end of the packet. Pass to each dissection routine a pointer to the appropriate message type structure, rather than a pointer to a union of all the message type structures. --- diff --git a/aodv.h b/aodv.h index c2dec474..b48be30a 100644 --- a/aodv.h +++ b/aodv.h @@ -151,19 +151,6 @@ struct aodv_rrep_ack { u_int8_t ra_zero0; }; -union aodv { - struct aodv_rreq rreq; - struct aodv_rrep rrep; - struct aodv_rerr rerr; - struct aodv_rrep_ack rrep_ack; -#ifdef INET6 - struct aodv_rreq6 rreq6; - struct aodv_rreq6_draft_01 rreq6_draft_01; - struct aodv_rrep6 rrep6; - struct aodv_rrep6_draft_01 rrep6_draft_01; -#endif -}; - #define AODV_RREQ 1 /* route request */ #define AODV_RREP 2 /* route response */ #define AODV_RERR 3 /* error report */ diff --git a/print-aodv.c b/print-aodv.c index c5f66223..9318474f 100644 --- a/print-aodv.c +++ b/print-aodv.c @@ -82,7 +82,7 @@ aodv_extension(const struct aodv_ext *ep, u_int length) } static void -aodv_rreq(const union aodv *ap, const u_char *dat, u_int length) +aodv_rreq(const struct aodv_rreq *ap, const u_char *dat, u_int length) { u_int i; @@ -91,30 +91,30 @@ aodv_rreq(const union aodv *ap, const u_char *dat, u_int length) return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rreq)) { + if (i < sizeof(*ap)) { printf(" [|rreq]"); return; } - i -= sizeof(ap->rreq); + i -= sizeof(*ap); printf(" rreq %u %s%s%s%s%shops %u id 0x%08lx\n" "\tdst %s seq %lu src %s seq %lu", length, - ap->rreq.rreq_type & RREQ_JOIN ? "[J]" : "", - ap->rreq.rreq_type & RREQ_REPAIR ? "[R]" : "", - ap->rreq.rreq_type & RREQ_GRAT ? "[G]" : "", - ap->rreq.rreq_type & RREQ_DEST ? "[D]" : "", - ap->rreq.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", - ap->rreq.rreq_hops, - (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_id), - ipaddr_string(&ap->rreq.rreq_da), - (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_ds), - ipaddr_string(&ap->rreq.rreq_oa), - (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_os)); + ap->rreq_type & RREQ_JOIN ? "[J]" : "", + ap->rreq_type & RREQ_REPAIR ? "[R]" : "", + ap->rreq_type & RREQ_GRAT ? "[G]" : "", + ap->rreq_type & RREQ_DEST ? "[D]" : "", + ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", + ap->rreq_hops, + (unsigned long)EXTRACT_32BITS(&ap->rreq_id), + ipaddr_string(&ap->rreq_da), + (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), + ipaddr_string(&ap->rreq_oa), + (unsigned long)EXTRACT_32BITS(&ap->rreq_os)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rreq + 1), i); + aodv_extension((void *)(ap + 1), i); } static void -aodv_rrep(const union aodv *ap, const u_char *dat, u_int length) +aodv_rrep(const struct aodv_rrep *ap, const u_char *dat, u_int length) { u_int i; @@ -123,27 +123,27 @@ aodv_rrep(const union aodv *ap, const u_char *dat, u_int length) return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rrep)) { + if (i < sizeof(*ap)) { printf(" [|rrep]"); return; } - i -= sizeof(ap->rrep); + i -= sizeof(*ap); printf(" rrep %u %s%sprefix %u hops %u\n" "\tdst %s dseq %lu src %s %lu ms", length, - ap->rrep.rrep_type & RREP_REPAIR ? "[R]" : "", - ap->rrep.rrep_type & RREP_ACK ? "[A] " : " ", - ap->rrep.rrep_ps & RREP_PREFIX_MASK, - ap->rrep.rrep_hops, - ipaddr_string(&ap->rrep.rrep_da), - (unsigned long)EXTRACT_32BITS(&ap->rrep.rrep_ds), - ipaddr_string(&ap->rrep.rrep_oa), - (unsigned long)EXTRACT_32BITS(&ap->rrep.rrep_life)); + ap->rrep_type & RREP_REPAIR ? "[R]" : "", + ap->rrep_type & RREP_ACK ? "[A] " : " ", + ap->rrep_ps & RREP_PREFIX_MASK, + ap->rrep_hops, + ipaddr_string(&ap->rrep_da), + (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), + ipaddr_string(&ap->rrep_oa), + (unsigned long)EXTRACT_32BITS(&ap->rrep_life)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rrep + 1), i); + aodv_extension((void *)(ap + 1), i); } static void -aodv_rerr(const union aodv *ap, const u_char *dat, u_int length) +aodv_rerr(const struct aodv_rerr *ap, const u_char *dat, u_int length) { u_int i; const struct rerr_unreach *dp = NULL; @@ -159,14 +159,14 @@ aodv_rerr(const union aodv *ap, const u_char *dat, u_int length) return; } i -= offsetof(struct aodv_rerr, r); - dp = &ap->rerr.r.dest[0]; - n = ap->rerr.rerr_dc * sizeof(ap->rerr.r.dest[0]); + dp = &ap->r.dest[0]; + n = ap->rerr_dc * sizeof(ap->r.dest[0]); printf(" rerr %s [items %u] [%u]:", - ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", - ap->rerr.rerr_dc, length); - trunc = n - (i/sizeof(ap->rerr.r.dest[0])); - for (; i >= sizeof(ap->rerr.r.dest[0]); - ++dp, i -= sizeof(ap->rerr.r.dest[0])) { + ap->rerr_flags & RERR_NODELETE ? "[D]" : "", + ap->rerr_dc, length); + trunc = n - (i/sizeof(ap->r.dest[0])); + for (; i >= sizeof(ap->r.dest[0]); + ++dp, i -= sizeof(ap->r.dest[0])) { printf(" {%s}(%ld)", ipaddr_string(&dp->u_da), (unsigned long)EXTRACT_32BITS(&dp->u_ds)); } @@ -176,9 +176,9 @@ aodv_rerr(const union aodv *ap, const u_char *dat, u_int length) static void #ifdef INET6 -aodv_v6_rreq(const union aodv *ap, const u_char *dat, u_int length) +aodv_v6_rreq(const struct aodv_rreq6 *ap, const u_char *dat, u_int length) #else -aodv_v6_rreq(const union aodv *ap _U_, const u_char *dat _U_, u_int length) +aodv_v6_rreq(const struct aodv_rreq6 *ap _U_, const u_char *dat _U_, u_int length) #endif { #ifdef INET6 @@ -189,26 +189,26 @@ aodv_v6_rreq(const union aodv *ap _U_, const u_char *dat _U_, u_int length) return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rreq6)) { + if (i < sizeof(*ap)) { printf(" [|rreq6]"); return; } - i -= sizeof(ap->rreq6); + i -= sizeof(*ap); printf(" v6 rreq %u %s%s%s%s%shops %u id 0x%08lx\n" "\tdst %s seq %lu src %s seq %lu", length, - ap->rreq6.rreq_type & RREQ_JOIN ? "[J]" : "", - ap->rreq6.rreq_type & RREQ_REPAIR ? "[R]" : "", - ap->rreq6.rreq_type & RREQ_GRAT ? "[G]" : "", - ap->rreq6.rreq_type & RREQ_DEST ? "[D]" : "", - ap->rreq6.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", - ap->rreq6.rreq_hops, - (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_id), - ip6addr_string(&ap->rreq6.rreq_da), - (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_ds), - ip6addr_string(&ap->rreq6.rreq_oa), - (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_os)); + ap->rreq_type & RREQ_JOIN ? "[J]" : "", + ap->rreq_type & RREQ_REPAIR ? "[R]" : "", + ap->rreq_type & RREQ_GRAT ? "[G]" : "", + ap->rreq_type & RREQ_DEST ? "[D]" : "", + ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", + ap->rreq_hops, + (unsigned long)EXTRACT_32BITS(&ap->rreq_id), + ip6addr_string(&ap->rreq_da), + (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), + ip6addr_string(&ap->rreq_oa), + (unsigned long)EXTRACT_32BITS(&ap->rreq_os)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rreq6 + 1), i); + aodv_extension((void *)(ap + 1), i); #else printf(" v6 rreq %u", length); #endif @@ -216,9 +216,9 @@ aodv_v6_rreq(const union aodv *ap _U_, const u_char *dat _U_, u_int length) static void #ifdef INET6 -aodv_v6_rrep(const union aodv *ap, const u_char *dat, u_int length) +aodv_v6_rrep(const struct aodv_rrep6 *ap, const u_char *dat, u_int length) #else -aodv_v6_rrep(const union aodv *ap _U_, const u_char *dat _U_, u_int length) +aodv_v6_rrep(const struct aodv_rrep6 *ap _U_, const u_char *dat _U_, u_int length) #endif { #ifdef INET6 @@ -229,23 +229,23 @@ aodv_v6_rrep(const union aodv *ap _U_, const u_char *dat _U_, u_int length) return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rrep6)) { + if (i < sizeof(*ap)) { printf(" [|rrep6]"); return; } - i -= sizeof(ap->rrep6); + i -= sizeof(*ap); printf(" rrep %u %s%sprefix %u hops %u\n" "\tdst %s dseq %lu src %s %lu ms", length, - ap->rrep6.rrep_type & RREP_REPAIR ? "[R]" : "", - ap->rrep6.rrep_type & RREP_ACK ? "[A] " : " ", - ap->rrep6.rrep_ps & RREP_PREFIX_MASK, - ap->rrep6.rrep_hops, - ip6addr_string(&ap->rrep6.rrep_da), - (unsigned long)EXTRACT_32BITS(&ap->rrep6.rrep_ds), - ip6addr_string(&ap->rrep6.rrep_oa), - (unsigned long)EXTRACT_32BITS(&ap->rrep6.rrep_life)); + ap->rrep_type & RREP_REPAIR ? "[R]" : "", + ap->rrep_type & RREP_ACK ? "[A] " : " ", + ap->rrep_ps & RREP_PREFIX_MASK, + ap->rrep_hops, + ip6addr_string(&ap->rrep_da), + (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), + ip6addr_string(&ap->rrep_oa), + (unsigned long)EXTRACT_32BITS(&ap->rrep_life)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rrep6 + 1), i); + aodv_extension((void *)(ap + 1), i); #else printf(" rrep %u", length); #endif @@ -253,9 +253,9 @@ aodv_v6_rrep(const union aodv *ap _U_, const u_char *dat _U_, u_int length) static void #ifdef INET6 -aodv_v6_rerr(const union aodv *ap, u_int length) +aodv_v6_rerr(const struct aodv_rerr *ap, u_int length) #else -aodv_v6_rerr(const union aodv *ap _U_, u_int length) +aodv_v6_rerr(const struct aodv_rerr *ap _U_, u_int length) #endif { #ifdef INET6 @@ -263,12 +263,12 @@ aodv_v6_rerr(const union aodv *ap _U_, u_int length) int i, j, n, trunc; i = length - offsetof(struct aodv_rerr, r); - j = sizeof(ap->rerr.r.dest6[0]); - dp6 = &ap->rerr.r.dest6[0]; - n = ap->rerr.rerr_dc * j; + j = sizeof(ap->r.dest6[0]); + dp6 = &ap->r.dest6[0]; + n = ap->rerr_dc * j; printf(" rerr %s [items %u] [%u]:", - ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", - ap->rerr.rerr_dc, length); + ap->rerr_flags & RERR_NODELETE ? "[D]" : "", + ap->rerr_dc, length); trunc = n - (i/j); for (; i -= j >= 0; ++dp6) { printf(" {%s}(%ld)", ip6addr_string(&dp6->u_da), @@ -283,10 +283,9 @@ aodv_v6_rerr(const union aodv *ap _U_, u_int length) static void #ifdef INET6 -aodv_v6_draft_01_rreq(const union aodv *ap, const u_char *dat, u_int length) +aodv_v6_draft_01_rreq(const struct aodv_rreq6_draft_01 *ap, const u_char *dat, u_int length) #else -aodv_v6_draft_01_rreq(const union aodv *ap _U_, const u_char *dat _U_, - u_int length) +aodv_v6_draft_01_rreq(const struct aodv_rreq6_draft_01 *ap _U_, const u_char *dat _U_, u_int length) #endif { #ifdef INET6 @@ -297,26 +296,26 @@ aodv_v6_draft_01_rreq(const union aodv *ap _U_, const u_char *dat _U_, return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rreq6_draft_01)) { + if (i < sizeof(*ap)) { printf(" [|rreq6]"); return; } - i -= sizeof(ap->rreq6_draft_01); + i -= sizeof(*ap); printf(" rreq %u %s%s%s%s%shops %u id 0x%08lx\n" "\tdst %s seq %lu src %s seq %lu", length, - ap->rreq6_draft_01.rreq_type & RREQ_JOIN ? "[J]" : "", - ap->rreq6_draft_01.rreq_type & RREQ_REPAIR ? "[R]" : "", - ap->rreq6_draft_01.rreq_type & RREQ_GRAT ? "[G]" : "", - ap->rreq6_draft_01.rreq_type & RREQ_DEST ? "[D]" : "", - ap->rreq6_draft_01.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", - ap->rreq6_draft_01.rreq_hops, - (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_id), - ip6addr_string(&ap->rreq6_draft_01.rreq_da), - (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_ds), - ip6addr_string(&ap->rreq6_draft_01.rreq_oa), - (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_os)); + ap->rreq_type & RREQ_JOIN ? "[J]" : "", + ap->rreq_type & RREQ_REPAIR ? "[R]" : "", + ap->rreq_type & RREQ_GRAT ? "[G]" : "", + ap->rreq_type & RREQ_DEST ? "[D]" : "", + ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", + ap->rreq_hops, + (unsigned long)EXTRACT_32BITS(&ap->rreq_id), + ip6addr_string(&ap->rreq_da), + (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), + ip6addr_string(&ap->rreq_oa), + (unsigned long)EXTRACT_32BITS(&ap->rreq_os)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rreq6_draft_01 + 1), i); + aodv_extension((void *)(ap + 1), i); #else printf(" rreq %u", length); #endif @@ -324,10 +323,9 @@ aodv_v6_draft_01_rreq(const union aodv *ap _U_, const u_char *dat _U_, static void #ifdef INET6 -aodv_v6_draft_01_rrep(const union aodv *ap, const u_char *dat, u_int length) +aodv_v6_draft_01_rrep(const struct aodv_rrep6_draft_01 *ap, const u_char *dat, u_int length) #else -aodv_v6_draft_01_rrep(const union aodv *ap _U_, const u_char *dat _U_, - u_int length) +aodv_v6_draft_01_rrep(const struct aodv_rrep6_draft_01 *ap _U_, const u_char *dat _U_, u_int length) #endif { #ifdef INET6 @@ -338,23 +336,23 @@ aodv_v6_draft_01_rrep(const union aodv *ap _U_, const u_char *dat _U_, return; } i = min(length, (u_int)(snapend - dat)); - if (i < sizeof(ap->rrep6_draft_01)) { + if (i < sizeof(*ap)) { printf(" [|rrep6]"); return; } - i -= sizeof(ap->rrep6_draft_01); + i -= sizeof(*ap); printf(" rrep %u %s%sprefix %u hops %u\n" "\tdst %s dseq %lu src %s %lu ms", length, - ap->rrep6_draft_01.rrep_type & RREP_REPAIR ? "[R]" : "", - ap->rrep6_draft_01.rrep_type & RREP_ACK ? "[A] " : " ", - ap->rrep6_draft_01.rrep_ps & RREP_PREFIX_MASK, - ap->rrep6_draft_01.rrep_hops, - ip6addr_string(&ap->rrep6_draft_01.rrep_da), - (unsigned long)EXTRACT_32BITS(&ap->rrep6_draft_01.rrep_ds), - ip6addr_string(&ap->rrep6_draft_01.rrep_oa), - (unsigned long)EXTRACT_32BITS(&ap->rrep6_draft_01.rrep_life)); + ap->rrep_type & RREP_REPAIR ? "[R]" : "", + ap->rrep_type & RREP_ACK ? "[A] " : " ", + ap->rrep_ps & RREP_PREFIX_MASK, + ap->rrep_hops, + ip6addr_string(&ap->rrep_da), + (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), + ip6addr_string(&ap->rrep_oa), + (unsigned long)EXTRACT_32BITS(&ap->rrep_life)); if (i >= sizeof(struct aodv_ext)) - aodv_extension((void *)(&ap->rrep6_draft_01 + 1), i); + aodv_extension((void *)(ap + 1), i); #else printf(" rrep %u", length); #endif @@ -362,9 +360,9 @@ aodv_v6_draft_01_rrep(const union aodv *ap _U_, const u_char *dat _U_, static void #ifdef INET6 -aodv_v6_draft_01_rerr(const union aodv *ap, u_int length) +aodv_v6_draft_01_rerr(const struct aodv_rerr *ap, u_int length) #else -aodv_v6_draft_01_rerr(const union aodv *ap _U_, u_int length) +aodv_v6_draft_01_rerr(const struct aodv_rerr *ap _U_, u_int length) #endif { #ifdef INET6 @@ -372,12 +370,12 @@ aodv_v6_draft_01_rerr(const union aodv *ap _U_, u_int length) int i, j, n, trunc; i = length - offsetof(struct aodv_rerr, r); - j = sizeof(ap->rerr.r.dest6_draft_01[0]); - dp6 = &ap->rerr.r.dest6_draft_01[0]; - n = ap->rerr.rerr_dc * j; + j = sizeof(ap->r.dest6_draft_01[0]); + dp6 = &ap->r.dest6_draft_01[0]; + n = ap->rerr_dc * j; printf(" rerr %s [items %u] [%u]:", - ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", - ap->rerr.rerr_dc, length); + ap->rerr_flags & RERR_NODELETE ? "[D]" : "", + ap->rerr_dc, length); trunc = n - (i/j); for (; i -= j >= 0; ++dp6) { printf(" {%s}(%ld)", ip6addr_string(&dp6->u_da), @@ -393,40 +391,37 @@ aodv_v6_draft_01_rerr(const union aodv *ap _U_, u_int length) void aodv_print(const u_char *dat, u_int length, int is_ip6) { - const union aodv *ap; - - ap = (union aodv *)dat; - if (snapend < dat) { - printf(" [|aodv]"); - return; - } - if (min(length, (u_int)(snapend - dat)) < sizeof(ap->rrep_ack)) { - printf(" [|aodv]"); - return; - } + uint8_t msg_type; + + /* + * The message type is the first byte; make sure we have it + * and then fetch it. + */ + TCHECK(*dat); + msg_type = *dat; printf(" aodv"); - switch (ap->rerr.rerr_type) { + switch (msg_type) { case AODV_RREQ: if (is_ip6) - aodv_v6_rreq(ap, dat, length); + aodv_v6_rreq((const struct aodv_rreq6 *)dat, dat, length); else - aodv_rreq(ap, dat, length); + aodv_rreq((const struct aodv_rreq *)dat, dat, length); break; case AODV_RREP: if (is_ip6) - aodv_v6_rrep(ap, dat, length); + aodv_v6_rrep((const struct aodv_rrep6 *)dat, dat, length); else - aodv_rrep(ap, dat, length); + aodv_rrep((const struct aodv_rrep *)dat, dat, length); break; case AODV_RERR: if (is_ip6) - aodv_v6_rerr(ap, length); + aodv_v6_rerr((const struct aodv_rerr *)dat, length); else - aodv_rerr(ap, dat, length); + aodv_rerr((const struct aodv_rerr *)dat, dat, length); break; case AODV_RREP_ACK: @@ -434,15 +429,15 @@ aodv_print(const u_char *dat, u_int length, int is_ip6) break; case AODV_V6_DRAFT_01_RREQ: - aodv_v6_draft_01_rreq(ap, dat, length); + aodv_v6_draft_01_rreq((const struct aodv_rreq6_draft_01 *)dat, dat, length); break; case AODV_V6_DRAFT_01_RREP: - aodv_v6_draft_01_rrep(ap, dat, length); + aodv_v6_draft_01_rrep((const struct aodv_rrep6_draft_01 *)dat, dat, length); break; case AODV_V6_DRAFT_01_RERR: - aodv_v6_draft_01_rerr(ap, length); + aodv_v6_draft_01_rerr((const struct aodv_rerr *)dat, length); break; case AODV_V6_DRAFT_01_RREP_ACK: @@ -450,6 +445,10 @@ aodv_print(const u_char *dat, u_int length, int is_ip6) break; default: - printf(" %u %u", ap->rreq.rreq_type, length); + printf(" type %u %u", msg_type, length); } + return; + +trunc: + printf(" [|aodv]"); }