From owner-svn-src-head@FreeBSD.ORG Sat Jan 31 16:34:40 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71D25AAB; Sat, 31 Jan 2015 16:34:40 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DA50F30; Sat, 31 Jan 2015 16:34:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0VGYeA7067288; Sat, 31 Jan 2015 16:34:40 GMT (envelope-from pfg@FreeBSD.org) Received: (from pfg@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0VGYdLc067286; Sat, 31 Jan 2015 16:34:39 GMT (envelope-from pfg@FreeBSD.org) Message-Id: <201501311634.t0VGYdLc067286@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: pfg set sender to pfg@FreeBSD.org using -f From: "Pedro F. Giffuni" Date: Sat, 31 Jan 2015 16:34:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r277982 - head/contrib/tcpdump X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2015 16:34:40 -0000 Author: pfg Date: Sat Jan 31 16:34:39 2015 New Revision: 277982 URL: https://svnweb.freebsd.org/changeset/base/277982 Log: MFV r277981: Upstream fixes for issues found with afl (Issue #417). - Fix length checking. Check both the captured length and the on-the-wire length (the latter *should* be greater than or equal to the former, but that's not guaranteed). Add some additional length checks, so neither caplen nor length underflow. If we stop dissecting because the packet is too short, return 1, not 0, as we've "dissected" what we can; 0 means "this is LLC+SNAP with an OUI of 0 and an unknown Ethertype". commit: 743bcecdc92f88b118ec7aac4f68b606601205cc - Clean up length checks. Check only the amount of length that matters at any given point; yes, this means we do multiple checks, but so it goes. We don't need to check for LLC+SNAP - llc_print() does that for us. We do, however, need to check to make sure we can safely skip the Fore header. commit: 5c65e7532fa16308e01299988852b0dc5b027559 Modified: head/contrib/tcpdump/print-atm.c head/contrib/tcpdump/print-llc.c Directory Properties: head/contrib/tcpdump/ (props changed) Modified: head/contrib/tcpdump/print-atm.c ============================================================================== --- head/contrib/tcpdump/print-atm.c Sat Jan 31 16:26:21 2015 (r277981) +++ head/contrib/tcpdump/print-atm.c Sat Jan 31 16:34:39 2015 (r277982) @@ -167,7 +167,7 @@ atm_if_print(netdissect_options *ndo, uint32_t llchdr; u_int hdrlen = 0; - if (caplen < 8) { + if (caplen < 1 || length < 1) { ND_PRINT((ndo, "%s", tstr)); return (caplen); } @@ -181,6 +181,15 @@ atm_if_print(netdissect_options *ndo, } /* + * Must have at least a DSAP, an SSAP, and the first byte of the + * control field. + */ + if (caplen < 3 || length < 3) { + ND_PRINT((ndo, "%s", tstr)); + return (caplen); + } + + /* * Extract the presumed LLC header into a variable, for quick * testing. * Then check for a header that's neither a header for a SNAP @@ -207,6 +216,10 @@ atm_if_print(netdissect_options *ndo, * packets? If so, could it be changed to use a * new DLT_IEEE802_6 value if we added it? */ + if (caplen < 20 || length < 20) { + ND_PRINT((ndo, "%s", tstr)); + return (caplen); + } if (ndo->ndo_eflag) ND_PRINT((ndo, "%08x%08x %08x%08x ", EXTRACT_32BITS(p), Modified: head/contrib/tcpdump/print-llc.c ============================================================================== --- head/contrib/tcpdump/print-llc.c Sat Jan 31 16:26:21 2015 (r277981) +++ head/contrib/tcpdump/print-llc.c Sat Jan 31 16:34:39 2015 (r277982) @@ -153,10 +153,10 @@ llc_print(netdissect_options *ndo, const *extracted_ethertype = 0; - if (caplen < 3) { + if (caplen < 3 || length < 3) { ND_PRINT((ndo, "[|llc]")); ND_DEFAULTPRINT((u_char *)p, caplen); - return(0); + return (1); } dsap_field = *p; @@ -179,10 +179,10 @@ llc_print(netdissect_options *ndo, const * The control field in I and S frames is * 2 bytes... */ - if (caplen < 4) { + if (caplen < 4 || length < 4) { ND_PRINT((ndo, "[|llc]")); ND_DEFAULTPRINT((u_char *)p, caplen); - return(0); + return (1); } /* @@ -242,6 +242,11 @@ llc_print(netdissect_options *ndo, const if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && control == LLC_UI) { + if (caplen < 4 || length < 4) { + ND_PRINT((ndo, "[|llc]")); + ND_DEFAULTPRINT((u_char *)p, caplen); + return (1); + } ip_print(ndo, p+4, length-4); return (1); } @@ -370,6 +375,8 @@ snap_print(netdissect_options *ndo, cons register int ret; ND_TCHECK2(*p, 5); + if (caplen < 5 || length < 5) + goto trunc; orgcode = EXTRACT_24BITS(p); et = EXTRACT_16BITS(p + 3);