Can E. Acar wrote: > The crashes you posted to icb recently > (https://www.sccs.swarthmore.edu/users/16/mmcconv1/dump/tcpdump-crashes/) > are related to print-cdp.c where the bounds checks are missing/broken. > > The attached diff seems to fix the issues.
canacar@ asked me to forward this to the list. It makes sense to me, but it needs review by someone with more knowledge of tcpdump's woeful ways of buffer handling. Index: print-cdp.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/print-cdp.c,v retrieving revision 1.5 diff -u -p -u -p -r1.5 print-cdp.c --- print-cdp.c 16 Jan 2015 06:40:21 -0000 1.5 +++ print-cdp.c 28 Jan 2016 05:22:51 -0000 @@ -65,7 +65,7 @@ cdp_print(const u_char *p, u_int length, while (i < length) { if (i + 4 > caplen) { - printf("[!cdp]"); + printf("[|cdp]"); return; } @@ -75,8 +75,11 @@ cdp_print(const u_char *p, u_int length, if (vflag) printf(" %02x/%02x", type, len); + if (len < 4) + goto error; + if (i+len > caplen) { - printf("[!cdp]"); + printf("[|cdp]"); return; } @@ -92,6 +95,8 @@ cdp_print(const u_char *p, u_int length, printf(" PortID '%.*s'", len - 4, p + i + 4); break; case 0x04: + if (len < 7) + goto error; printf(" CAP 0x%02x", (unsigned) p[i+7]); break; case 0x05: @@ -110,6 +115,8 @@ cdp_print(const u_char *p, u_int length, printf(" VTP-Management-Domain '%.*s'", len-4, p+i+4 ); break; case 0x0a: /* guess - not documented */ + if (len < 5) + goto error; printf(" Native-VLAN-ID %d", (p[i+4]<<8) + p[i+4+1] - 1 ); break; case 0x0b: /* guess - not documented */ @@ -124,6 +131,9 @@ cdp_print(const u_char *p, u_int length, break; i += len; } + return; +error: + printf("[!cdp]"); } void @@ -137,13 +147,20 @@ cdp_print_addr(const u_char * p, int l) printf(" (%d): ", num); - while(p < endp && num >= 0) { + while(num >= 0) { + if (p + 1 >= endp) + break; pl=*(p+1); p+=2; + if (p + l + 2 >= endp) + break; + /* special case: IPv4, protocol type=0xcc, addr. length=4 */ if (pl == 1 && *p == 0xcc && p[1] == 0 && p[2] == 4) { p+=3; + if (p + 4 >= endp) + break; printf("IPv4 %d.%d.%d.%d ", p[0], p[1], p[2], p[3]); p+=4; @@ -154,6 +171,8 @@ cdp_print_addr(const u_char * p, int l) al=(*p << 8) + *(p+1); printf(", al=%d, a=", al); p+=2; + if (p + al >= endp) + break; while(al-- > 0) printf(" %02x", *p++); } @@ -169,7 +188,8 @@ cdp_print_prefixes(const u_char * p, int printf(" IPv4 Prefixes (%d):", l/5); while (l > 0) { - printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] ); + if (l >= 5) + printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] ); l-=5; p+=5; } }