From: Guy Harris <gharris@sonic.net>
Date: Wed, 28 Aug 2024 07:09:46 +0000 (-0700)
Subject: msdp: do some additional bounds checks.
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/66b6e1e05fc355052b34c8f3635bb696cd18f986

msdp: do some additional bounds checks.

Make sure we don't run past either 1) the end of the packet data (using
ND_TCHECK_LEN() for fields we don't fetch and print) or 2) the end of
the TLV (with a check of length before fetching the T and L, and checks
of L before fetching any further data).

Don't advance sp past the T and L, or decrement length for the T and L,
before parsing the V, so we don't have to subtract 3 from sp in some
cases.

Add some comments.

Define ND_LONGJMP_FROM_TCHECK to do new-style checks.
---

diff --git a/print-msdp.c b/print-msdp.c
index 61a332d9..1d01233c 100644
--- a/print-msdp.c
+++ b/print-msdp.c
@@ -20,6 +20,7 @@
 
 #include <config.h>
 
+#define ND_LONGJMP_FROM_TCHECK
 #include "netdissect-stdinc.h"
 
 #include "netdissect.h"
@@ -42,6 +43,10 @@ msdp_print(netdissect_options *ndo, const u_char *sp, u_int length)
 	if (len > 1500 || len < 3 || type == 0 || type > MSDP_TYPE_MAX)
 		goto trunc;	/* not really truncated, but still not decodable */
 	while (length != 0) {
+		unsigned int entry_count;
+
+		if (length < 3)
+			goto trunc;
 		type = GET_U_1(sp);
 		len = GET_BE_U_2(sp + 1);
 		if (len > 1400 || ndo->ndo_vflag)
@@ -50,8 +55,6 @@ msdp_print(netdissect_options *ndo, const u_char *sp, u_int length)
 			goto trunc;
 		if (length < len)
 			goto trunc;
-		sp += 3;
-		length -= 3;
 		switch (type) {
 		case 1:	/* IPv4 Source-Active */
 		case 3: /* IPv4 Source-Active Response */
@@ -59,20 +62,47 @@ msdp_print(netdissect_options *ndo, const u_char *sp, u_int length)
 				ND_PRINT(" SA");
 			else
 				ND_PRINT(" SA-Response");
-			ND_PRINT(" %u entries", GET_U_1(sp));
-			if ((u_int)((GET_U_1(sp) * 12) + 8) < len) {
+
+			/* Entry Count */
+			if (len < 4)
+				goto trunc;
+			entry_count = GET_U_1(sp + 3);
+			ND_PRINT(" %u entries", entry_count);
+
+			/* RP Address */
+			if (len < 8)
+				goto trunc;
+			/* XXX -print this based on ndo_vflag? */
+			ND_TCHECK_LEN(sp + 4, 4);
+
+			/* Entries */
+			ND_TCHECK_LEN(sp + 8, entry_count*12);
+
+			if (len > (8 + entry_count*12)) {
+				/* Encapsulated IP packet */
 				ND_PRINT(" [w/data]");
 				if (ndo->ndo_vflag > 1) {
 					ND_PRINT(" ");
-					ip_print(ndo, sp +
-						 GET_U_1(sp) * 12 + 8 - 3,
-						 len - (GET_U_1(sp) * 12 + 8));
+					ip_print(ndo, sp + (8 + entry_count*12),
+					    len - (8 + entry_count*12));
 				}
 			}
 			break;
 		case 2:
+			/* draft-ietf-msdp-spec-13 */
 			ND_PRINT(" SA-Request");
-			ND_PRINT(" for %s", GET_IPADDR_STRING(sp + 1));
+
+			/* Reserved */
+			if (len < 4)
+				goto trunc;
+			ND_TCHECK_1(sp + 3);
+
+			/* Group Address */
+			if (len < 8)
+				goto trunc;
+			if (len != 8)
+				ND_PRINT("[len=%u] ", len);
+			ND_PRINT(" for %s", GET_IPADDR_STRING(sp + 4));
 			break;
 		case 4:
 			ND_PRINT(" Keepalive");
@@ -86,8 +116,9 @@ msdp_print(netdissect_options *ndo, const u_char *sp, u_int length)
 			ND_PRINT(" [type=%u len=%u]", type, len);
 			break;
 		}
-		sp += (len - 3);
-		length -= (len - 3);
+		ND_TCHECK_LEN(sp, len);
+		sp += len;
+		length -= len;
 	}
 	return;
 trunc: