From: Denis Ovsienko <denis@ovsienko.info>
Date: Tue, 1 Nov 2016 17:05:01 +0000 (+0000)
Subject: TCP: put TCP-AO option decoding right
X-Git-Tag: tcpdump-4.9.0-bp~127
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/87dba333228b638fa7d3a60197f8ab8c82743043

TCP: put TCP-AO option decoding right

As it was correctly pointed out in GitHub issue #516, the TCPOPT_TCPAO
(formerly TCPOPT_AUTH) case had an issue with option length processing,
though without significant consequences thanks to a check elsewhere.
Besides that, the old code (introduced in 2005) decoded a structure
similar to a proposed encoding variant of the early (first published in
2007) revisions of the Internet-Draft but different from the encoding
of RFC 5925 (published in 2010). These issues are now addressed and the
TCP option renamed to TCP-AO.
---

diff --git a/print-tcp.c b/print-tcp.c
index 35b18492..61fb93e6 100644
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -129,7 +129,7 @@ static const struct tok tcp_option_values[] = {
         { TCPOPT_SIGNATURE, "md5" },
         { TCPOPT_SCPS, "scps" },
         { TCPOPT_UTO, "uto" },
-        { TCPOPT_AUTH, "enhanced auth" },
+        { TCPOPT_TCPAO, "tcp-ao" },
         { TCPOPT_MPTCP, "mptcp" },
         { TCPOPT_FASTOPEN, "tfo" },
         { TCPOPT_EXPERIMENT2, "exp" },
@@ -544,16 +544,26 @@ tcp_print(netdissect_options *ndo,
                                 ND_PRINT((ndo, " cap %02x id %u", cp[0], cp[1]));
                                 break;
 
-                        case TCPOPT_AUTH:
-                                ND_PRINT((ndo, " keyid %d", *cp++));
-                                datalen = len - 3;
-                                for (i = 0; i < datalen; ++i) {
-                                        LENCHECK(i);
-                                        ND_PRINT((ndo, "%02x", cp[i]));
+                        case TCPOPT_TCPAO:
+                                datalen = len - 2;
+                                LENCHECK(datalen);
+                                /* RFC 5925 Section 2.2:
+                                 * "The Length value MUST be greater than or equal to 4."
+                                 * (This includes the Kind and Length fields already processed
+                                 * at this point.)
+                                 */
+                                if (datalen < 2) {
+                                        ND_PRINT((ndo, " invalid"));
+                                } else {
+                                        ND_PRINT((ndo, " keyid %u rnextkeyid %u", cp[0], cp[1]));
+                                        if (datalen > 2) {
+                                                ND_PRINT((ndo, " mac "));
+                                                for (i = 2; i < datalen; i++)
+                                                        ND_PRINT((ndo, "%02x", cp[i]));
+                                        }
                                 }
                                 break;
 
-
                         case TCPOPT_EOL:
                         case TCPOPT_NOP:
                         case TCPOPT_SACKOK:
diff --git a/tcp.h b/tcp.h
index 1084db9a..912b5e82 100644
--- a/tcp.h
+++ b/tcp.h
@@ -84,7 +84,7 @@ struct tcphdr {
 #define TCPOPT_SCPS		20	/* SCPS-TP (CCSDS 714.0-B-2) */
 #define	TCPOPT_UTO		28	/* tcp user timeout (rfc5482) */
 #define	   TCPOLEN_UTO			4
-#define TCPOPT_AUTH		29	/* Enhanced AUTH option (rfc5925) */
+#define TCPOPT_TCPAO		29	/* TCP authentication option (rfc5925) */
 #define	TCPOPT_MPTCP		30	/* MPTCP options */
 #define TCPOPT_FASTOPEN		34	/* TCP Fast Open (rfc7413) */
 #define TCPOPT_EXPERIMENT2	254	/* experimental headers (rfc4727) */