From: Denis Ovsienko Date: Sun, 28 Apr 2013 13:20:28 +0000 (+0400) Subject: fix bug #303 (DLT_IEEE802_11_RADIO ext. bitmaps) X-Git-Tag: tcpdump-4.5.0~80^2~17 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/2f2e35168f0852832afba2b9a045df8d6fbe171a fix bug #303 (DLT_IEEE802_11_RADIO ext. bitmaps) This bug was discovered and pinned down by Wim Torfs. The code in question handles DLT_IEEE802_11_RADIO datalink type, which consists of a variable-sized header, a variable number of fields and the actual 802.11 frame. The integers contained in the fields are aligned, properly extracting them is exactly the purpose of the existing "cpack" module. The issue with the current code is that it sets alignment base for cpack at the end of the variable-sized header, in other words, 64-bit integers would be properly extracted only so long as the header is 64-bit long, which only happens when the total number of bitmaps in it is odd (the minimum number of bitmaps is one). Once this condition isn't met, as is with two bitmaps, decoding becomes incorrect. The reporter's point that the alignment base must be the beginning of the variable-sized header is accurate. This commit adds a new cpack_advance() function to fast-forward the "c_next" pointer of a cpack_state context by an arbitrary number of octets. The ieee802_11_radio_print() function now uses it to skip the header and all its bitmaps, and the alignment base is now the header start. --- diff --git a/cpack.c b/cpack.c index c921b390..b863d8e7 100644 --- a/cpack.c +++ b/cpack.c @@ -68,6 +68,17 @@ cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize) return next; } +/* Advance by N bytes without returning them. */ +int +cpack_advance(struct cpack_state *cs, const size_t toskip) +{ + /* No space left? */ + if (cs->c_next - cs->c_buf + toskip > cs->c_len) + return -1; + cs->c_next += toskip; + return 0; +} + int cpack_init(struct cpack_state *cs, u_int8_t *buf, size_t buflen) { diff --git a/cpack.h b/cpack.h index 74f97960..383927f7 100644 --- a/cpack.h +++ b/cpack.h @@ -51,4 +51,6 @@ u_int8_t *cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize); #define cpack_int32(__s, __p) cpack_uint32((__s), (u_int32_t*)(__p)) #define cpack_int64(__s, __p) cpack_uint64((__s), (u_int64_t*)(__p)) +extern int cpack_advance(struct cpack_state *, const size_t); + #endif /* _CPACK_H */ diff --git a/print-802_11.c b/print-802_11.c index 97badb9f..603e9460 100644 --- a/print-802_11.c +++ b/print-802_11.c @@ -2209,7 +2209,6 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen) u_int32_t *presentp, *last_presentp; enum ieee80211_radiotap_type bit; int bit0; - const u_char *iter; u_int len; u_int8_t flags; int pad; @@ -2229,10 +2228,13 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen) printf("[|802.11]"); return caplen; } + cpack_init(&cpacker, (u_int8_t *)hdr, len); /* align against header start */ + cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */ for (last_presentp = &hdr->it_present; IS_EXTENDED(last_presentp) && (u_char*)(last_presentp + 1) <= p + len; - last_presentp++); + last_presentp++) + cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */ /* are there more bitmap extensions than bytes in header? */ if (IS_EXTENDED(last_presentp)) { @@ -2240,14 +2242,6 @@ ieee802_11_radio_print(const u_char *p, u_int length, u_int caplen) return caplen; } - iter = (u_char*)(last_presentp + 1); - - if (cpack_init(&cpacker, (u_int8_t*)iter, len - (iter - p)) != 0) { - /* XXX */ - printf("[|802.11]"); - return caplen; - } - /* Assume no flags */ flags = 0; /* Assume no Atheros padding between 802.11 header and body */ diff --git a/tests/ieee802.11_exthdr.out b/tests/ieee802.11_exthdr.out new file mode 100644 index 00000000..dd1689d4 --- /dev/null +++ b/tests/ieee802.11_exthdr.out @@ -0,0 +1,26 @@ +10016360us tsft 1.0 Mb/s 2412 MHz 11b -22dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10018922us tsft 1.0 Mb/s 2412 MHz 11b -19dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10017245us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +10085301us tsft 1.0 Mb/s 2412 MHz 11b -19dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10087718us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10086042us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +10284358us tsft 1.0 Mb/s 2412 MHz 11b -61dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10288217us tsft 1.0 Mb/s 2412 MHz 11b -46dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10286542us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +10351366us tsft 1.0 Mb/s 2412 MHz 11b -70dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10353769us tsft 1.0 Mb/s 2412 MHz 11b -57dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10352092us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +10418368us tsft 1.0 Mb/s 2412 MHz 11b -67dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10420929us tsft 1.0 Mb/s 2412 MHz 11b -73dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10419253us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +10485371us tsft 1.0 Mb/s 2412 MHz 11b -72dB signal -86dB noise antenna 1 [bit 31] 0us Probe Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +10489278us tsft 1.0 Mb/s 2412 MHz 11b -74dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +10487602us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Probe Response (omus) [1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 Mbit] CH: 1 +13338508us tsft 1.0 Mb/s 2412 MHz 11b -14dB signal -86dB noise antenna 1 [bit 31] 314us Authentication (Open System)-1: Successful +13340215us tsft 1.0 Mb/s 2412 MHz 11b -17dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +13339435us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Authentication (Open System)-2: +13341999us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 1 [bit 31] 314us Assoc Request (omus) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] +13346458us tsft 1.0 Mb/s 2412 MHz 11b -18dB signal -86dB noise antenna 0 [bit 31] 0us Acknowledgment RA:90:a4:de:c0:46:0a +13344925us tsft 1.0 Mb/s -86dB noise 27dBm tx power [bit 15] 314us Assoc Response AID(1) :: Successful +13355433us tsft 2412 MHz 11g -22dB signal -86dB noise antenna 1 19.5 Mb/s MCS 2 20 MHz lon GI [bit 31] 48us +13454791us tsft 2412 MHz 11g -21dB signal -86dB noise antenna 1 52.0 Mb/s MCS 11 20 MHz lon GI [bit 31] Pwr Mgmt 44us