Can E. Acar wrote:
> The crashes you posted to icb recently
> (https://www.sccs.swarthmore.edu/users/16/mmcconv1/dump/tcpdump-crashes/)
> are related to print-cdp.c where the bounds checks are missing/broken.
>
> The attached diff seems to fix the issues.
canacar@ asked me to forward this to the list. It makes sense to me, but
it needs review by someone with more knowledge of tcpdump's woeful ways
of buffer handling.
Index: print-cdp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-cdp.c,v
retrieving revision 1.5
diff -u -p -u -p -r1.5 print-cdp.c
--- print-cdp.c 16 Jan 2015 06:40:21 -0000 1.5
+++ print-cdp.c 28 Jan 2016 05:22:51 -0000
@@ -65,7 +65,7 @@ cdp_print(const u_char *p, u_int length,
while (i < length) {
if (i + 4 > caplen) {
- printf("[!cdp]");
+ printf("[|cdp]");
return;
}
@@ -75,8 +75,11 @@ cdp_print(const u_char *p, u_int length,
if (vflag)
printf(" %02x/%02x", type, len);
+ if (len < 4)
+ goto error;
+
if (i+len > caplen) {
- printf("[!cdp]");
+ printf("[|cdp]");
return;
}
@@ -92,6 +95,8 @@ cdp_print(const u_char *p, u_int length,
printf(" PortID '%.*s'", len - 4, p + i + 4);
break;
case 0x04:
+ if (len < 7)
+ goto error;
printf(" CAP 0x%02x", (unsigned) p[i+7]);
break;
case 0x05:
@@ -110,6 +115,8 @@ cdp_print(const u_char *p, u_int length,
printf(" VTP-Management-Domain '%.*s'", len-4, p+i+4 );
break;
case 0x0a: /* guess - not documented */
+ if (len < 5)
+ goto error;
printf(" Native-VLAN-ID %d", (p[i+4]<<8) + p[i+4+1] - 1
);
break;
case 0x0b: /* guess - not documented */
@@ -124,6 +131,9 @@ cdp_print(const u_char *p, u_int length,
break;
i += len;
}
+ return;
+error:
+ printf("[!cdp]");
}
void
@@ -137,13 +147,20 @@ cdp_print_addr(const u_char * p, int l)
printf(" (%d): ", num);
- while(p < endp && num >= 0) {
+ while(num >= 0) {
+ if (p + 1 >= endp)
+ break;
pl=*(p+1);
p+=2;
+ if (p + l + 2 >= endp)
+ break;
+
/* special case: IPv4, protocol type=0xcc, addr. length=4 */
if (pl == 1 && *p == 0xcc && p[1] == 0 && p[2] == 4) {
p+=3;
+ if (p + 4 >= endp)
+ break;
printf("IPv4 %d.%d.%d.%d ", p[0], p[1], p[2], p[3]);
p+=4;
@@ -154,6 +171,8 @@ cdp_print_addr(const u_char * p, int l)
al=(*p << 8) + *(p+1);
printf(", al=%d, a=", al);
p+=2;
+ if (p + al >= endp)
+ break;
while(al-- > 0)
printf(" %02x", *p++);
}
@@ -169,7 +188,8 @@ cdp_print_prefixes(const u_char * p, int
printf(" IPv4 Prefixes (%d):", l/5);
while (l > 0) {
- printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] );
+ if (l >= 5)
+ printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4]
);
l-=5; p+=5;
}
}
