diff options
| author |   canacar <canacar@openbsd.org> | 2016-03-29 04:07:50 +0000 |
|---|---|---|
| committer | canacar <canacar@openbsd.org> | 2016-03-29 04:07:50 +0000 |
| commit | a91cddbcc8eb62526f3925e5a44c18fea4dae592 (patch) | |
| tree | 5f98732730da228996607795e91cd554280344bd | |
| parent | Enable bytgpio(4) here as well. (diff) | |
| download | wireguard-openbsd-a91cddbcc8eb62526f3925e5a44c18fea4dae592.tar.xz wireguard-openbsd-a91cddbcc8eb62526f3925e5a44c18fea4dae592.zip | |
Properly check for the end of captured packet while printing CDP packets.
ok deraadt@
| -rw-r--r-- | usr.sbin/tcpdump/print-cdp.c | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/usr.sbin/tcpdump/print-cdp.c b/usr.sbin/tcpdump/print-cdp.c index 9af884697b0..4a2586e50e7 100644 --- a/usr.sbin/tcpdump/print-cdp.c +++ b/usr.sbin/tcpdump/print-cdp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-cdp.c,v 1.5 2015/01/16 06:40:21 deraadt Exp $ */ +/* $OpenBSD: print-cdp.c,v 1.6 2016/03/29 04:07:50 canacar Exp $ */ /* * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 @@ -39,7 +39,7 @@ #include "addrtoname.h" #include "extract.h" /* must come after interface.h */ -void cdp_print_addr(const u_char * p, int l); +int cdp_print_addr(const u_char * p, int l); void cdp_print_prefixes(const u_char * p, int l); /* @@ -65,7 +65,7 @@ cdp_print(const u_char *p, u_int length, u_int caplen, while (i < length) { if (i + 4 > caplen) { - printf("[!cdp]"); + printf("[|cdp]"); return; } @@ -75,8 +75,11 @@ cdp_print(const u_char *p, u_int length, u_int caplen, if (vflag) printf(" %02x/%02x", type, len); + if (len < 4) + goto error; + if (i+len > caplen) { - printf("[!cdp]"); + printf("[|cdp]"); return; } @@ -86,12 +89,15 @@ cdp_print(const u_char *p, u_int length, u_int caplen, break; case 0x02: printf(" Addr"); - cdp_print_addr(p + i + 4, len - 4); + if (cdp_print_addr(p + i + 4, len - 4)) + goto error; break; case 0x03: printf(" PortID '%.*s'", len - 4, p + i + 4); break; case 0x04: + if (len < 8) + goto error; printf(" CAP 0x%02x", (unsigned) p[i+7]); break; case 0x05: @@ -110,9 +116,13 @@ cdp_print(const u_char *p, u_int length, u_int caplen, printf(" VTP-Management-Domain '%.*s'", len-4, p+i+4 ); break; case 0x0a: /* guess - not documented */ + if (len < 6) + goto error; printf(" Native-VLAN-ID %d", (p[i+4]<<8) + p[i+4+1] - 1 ); break; case 0x0b: /* guess - not documented */ + if (len < 5) + goto error; printf(" Duplex %s", p[i+4] ? "full": "half" ); break; default: @@ -124,42 +134,59 @@ cdp_print(const u_char *p, u_int length, u_int caplen, break; i += len; } +error: + printf("[!cdp]"); } -void +#define CDP_CHECK_ACCESS(p, s) if ((endp - (p)) < (s)) return 1 + +int cdp_print_addr(const u_char * p, int l) { - int pl, al, num; + int pl, pt, al, num; const u_char * endp = p+l; + CDP_CHECK_ACCESS(p, 4); num = (p[0] << 24) + (p[1]<<16) + (p[2]<<8)+ p[3]; p+=4; printf(" (%d): ", num); while(p < endp && num >= 0) { + CDP_CHECK_ACCESS(p, 2); + pt=*p; pl=*(p+1); p+=2; + CDP_CHECK_ACCESS(p, 3); /* special case: IPv4, protocol type=0xcc, addr. length=4 */ if (pl == 1 && *p == 0xcc && p[1] == 0 && p[2] == 4) { p+=3; + CDP_CHECK_ACCESS(p, 4); printf("IPv4 %d.%d.%d.%d ", p[0], p[1], p[2], p[3]); p+=4; } else { /* generic case: just print raw data */ - printf("pt=0x%02x, pl=%d, pb=", *(p-2), pl); + printf("pt=0x%02x, pl=%d, pb=", pt, pl); + + CDP_CHECK_ACCESS(p, pl); while(pl-- > 0) printf(" %02x", *p++); + + CDP_CHECK_ACCESS(p, 2); al=(*p << 8) + *(p+1); printf(", al=%d, a=", al); p+=2; + + CDP_CHECK_ACCESS(p, al); while(al-- > 0) printf(" %02x", *p++); } printf(" "); num--; } + + return 0; } @@ -169,7 +196,8 @@ cdp_print_prefixes(const u_char * p, int l) printf(" IPv4 Prefixes (%d):", l/5); while (l > 0) { - printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] ); + if (l >= 5) + printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] ); l-=5; p+=5; } } |