From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Sat, 18 Jan 2020 16:32:36 +0000 (+0100)
Subject: LDP: Add some missing bounds checks
X-Git-Tag: tcpdump-4.99-bp~590
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/521ac1db3f6ba4654aa94227d9c146ab55c7d84f

LDP: Add some missing bounds checks

Replace calls to ipaddr_string()/ip6addr_string() with calls to
GET_IPADDR_STRING()/GET_IP6ADDR_STRING() macros performing bounds
checking.

Fix a regression in 78a4ee82226a3fe19981841dfe24d5e9cb437524.

This fixes a buffer over-read in ldp_tlv_print() discovered by
Jason Xiaole.

Add a test using the capture file supplied by the reporter updated
to keep only the packet showing the buffer over-read.
---

diff --git a/print-ldp.c b/print-ldp.c
index b747fe7d..b05a1218 100644
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -288,11 +288,11 @@ ldp_tlv_print(netdissect_options *ndo,
 
     case LDP_TLV_IPV4_TRANSPORT_ADDR:
         TLV_TCHECK(4);
-        ND_PRINT("\n\t      IPv4 Transport Address: %s", ipaddr_string(ndo, tptr));
+        ND_PRINT("\n\t      IPv4 Transport Address: %s", GET_IPADDR_STRING(tptr));
         break;
     case LDP_TLV_IPV6_TRANSPORT_ADDR:
         TLV_TCHECK(16);
-        ND_PRINT("\n\t      IPv6 Transport Address: %s", ip6addr_string(ndo, tptr));
+        ND_PRINT("\n\t      IPv6 Transport Address: %s", GET_IP6ADDR_STRING(tptr));
         break;
     case LDP_TLV_CONFIG_SEQ_NUMBER:
         TLV_TCHECK(4);
@@ -310,7 +310,7 @@ ldp_tlv_print(netdissect_options *ndo,
         case AFNUM_INET:
 	    while(tlv_tlen >= sizeof(nd_ipv4)) {
 		ND_TCHECK_LEN(tptr, sizeof(nd_ipv4));
-		ND_PRINT(" %s", ipaddr_string(ndo, tptr));
+		ND_PRINT(" %s", GET_IPADDR_STRING(tptr));
 		tlv_tlen-=sizeof(nd_ipv4);
 		tptr+=sizeof(nd_ipv4);
 	    }
@@ -318,7 +318,7 @@ ldp_tlv_print(netdissect_options *ndo,
         case AFNUM_INET6:
 	    while(tlv_tlen >= sizeof(nd_ipv6)) {
 		ND_TCHECK_LEN(tptr, sizeof(nd_ipv6));
-		ND_PRINT(" %s", ip6addr_string(ndo, tptr));
+		ND_PRINT(" %s", GET_IP6ADDR_STRING(tptr));
 		tlv_tlen-=sizeof(nd_ipv6);
 		tptr+=sizeof(nd_ipv6);
 	    }
@@ -606,7 +606,7 @@ ldp_pdu_print(netdissect_options *ndo,
     /* print the LSR-ID, label-space & length */
     ND_PRINT("%sLDP, Label-Space-ID: %s:%u, pdu-length: %u",
            (ndo->ndo_vflag < 1) ? "" : "\n\t",
-           ipaddr_string(ndo, ldp_com_header->lsr_id),
+           GET_IPADDR_STRING(ldp_com_header->lsr_id),
            GET_BE_U_2(ldp_com_header->label_space),
            pdu_len);
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 54f3f7a3..a61fdfcf 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -753,3 +753,6 @@ smb_data_print-oobr smb_data_print-oobr.pcapng smb_data_print-oobr.out -vv
 smb_data_print-segv smb_data_print-segv.pcapng smb_data_print-segv.out -vv
 #ptp tests
 ptp         ptp.pcap    ptp.out
+
+# bad packets from Jason Xiaole
+ldp_tlv_print-oobr ldp_tlv_print-oobr.pcap ldp_tlv_print-oobr.out -v
diff --git a/tests/ldp_tlv_print-oobr.out b/tests/ldp_tlv_print-oobr.out
new file mode 100644
index 00000000..1ec4d342
--- /dev/null
+++ b/tests/ldp_tlv_print-oobr.out
@@ -0,0 +1,7 @@
+    1  05:27:12.1010580 IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.12336 > 48.48.48.48.646: 
+	LDP, Label-Space-ID: 48.48.48.48:12336, pdu-length: 12336
+	  Hello Message (0x0100), length: 20, Message ID: 0x30303030, Flags: [ignore if unknown]
+	    Unknown TLV (0x3030), length: 4, Flags: [ignore and don't forward if unknown]
+	      0x0000:  3030 3030
+	    IPv4 Transport Address TLV (0x0401), length: 4, Flags: [ignore and don't forward if unknown] [|ldp]
diff --git a/tests/ldp_tlv_print-oobr.pcap b/tests/ldp_tlv_print-oobr.pcap
new file mode 100644
index 00000000..9ec507c0
Binary files /dev/null and b/tests/ldp_tlv_print-oobr.pcap differ