Here is a new version of the diff that fixes the CDP printer in tcpdump.
(https://www.sccs.swarthmore.edu/users/16/mmcconv1/dump/tcpdump-crashes/)
With this change the code does not access outside the packet anymore
but it would be nice if it could be tested on a network with real CDP
(Cisco Discovery Protocol) packets to see if there is any change in the
output. Error checking may have become too aggressive.
Thanks,
Can
Index: print-cdp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-cdp.c,v
retrieving revision 1.5
diff -u -p -u -p -r1.5 print-cdp.c
--- print-cdp.c 16 Jan 2015 06:40:21 -0000 1.5
+++ print-cdp.c 23 Mar 2016 06:09:31 -0000
@@ -39,7 +39,7 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
-void cdp_print_addr(const u_char * p, int l);
+int cdp_print_addr(const u_char * p, int l);
void cdp_print_prefixes(const u_char * p, int l);
/*
@@ -65,7 +65,7 @@ cdp_print(const u_char *p, u_int length,
while (i < length) {
if (i + 4 > caplen) {
- printf("[!cdp]");
+ printf("[|cdp]");
return;
}
@@ -75,8 +75,11 @@ cdp_print(const u_char *p, u_int length,
if (vflag)
printf(" %02x/%02x", type, len);
+ if (len < 4)
+ goto error;
+
if (i+len > caplen) {
- printf("[!cdp]");
+ printf("[|cdp]");
return;
}
@@ -86,12 +89,15 @@ cdp_print(const u_char *p, u_int length,
break;
case 0x02:
printf(" Addr");
- cdp_print_addr(p + i + 4, len - 4);
+ if (cdp_print_addr(p + i + 4, len - 4))
+ goto error;
break;
case 0x03:
printf(" PortID '%.*s'", len - 4, p + i + 4);
break;
case 0x04:
+ if (len < 8)
+ goto error;
printf(" CAP 0x%02x", (unsigned) p[i+7]);
break;
case 0x05:
@@ -110,9 +116,13 @@ cdp_print(const u_char *p, u_int length,
printf(" VTP-Management-Domain '%.*s'", len-4, p+i+4 );
break;
case 0x0a: /* guess - not documented */
+ if (len < 6)
+ goto error;
printf(" Native-VLAN-ID %d", (p[i+4]<<8) + p[i+4+1] - 1
);
break;
case 0x0b: /* guess - not documented */
+ if (len < 5)
+ goto error;
printf(" Duplex %s", p[i+4] ? "full": "half" );
break;
default:
@@ -124,42 +134,59 @@ cdp_print(const u_char *p, u_int length,
break;
i += len;
}
+error:
+ printf("[!cdp]");
}
-void
+#define CDP_CHECK_ACCESS(p, s) if ((endp - (p)) < (s)) return 1
+
+int
cdp_print_addr(const u_char * p, int l)
{
- int pl, al, num;
+ int pl, pt, al, num;
const u_char * endp = p+l;
+ CDP_CHECK_ACCESS(p, 4);
num = (p[0] << 24) + (p[1]<<16) + (p[2]<<8)+ p[3];
p+=4;
printf(" (%d): ", num);
while(p < endp && num >= 0) {
+ CDP_CHECK_ACCESS(p, 2);
+ pt=*p;
pl=*(p+1);
p+=2;
+ CDP_CHECK_ACCESS(p, 3);
/* special case: IPv4, protocol type=0xcc, addr. length=4 */
if (pl == 1 && *p == 0xcc && p[1] == 0 && p[2] == 4) {
p+=3;
+ CDP_CHECK_ACCESS(p, 4);
printf("IPv4 %d.%d.%d.%d ", p[0], p[1], p[2], p[3]);
p+=4;
} else { /* generic case: just print raw data */
- printf("pt=0x%02x, pl=%d, pb=", *(p-2), pl);
+ printf("pt=0x%02x, pl=%d, pb=", pt, pl);
+
+ CDP_CHECK_ACCESS(p, pl);
while(pl-- > 0)
printf(" %02x", *p++);
+
+ CDP_CHECK_ACCESS(p, 2);
al=(*p << 8) + *(p+1);
printf(", al=%d, a=", al);
p+=2;
+
+ CDP_CHECK_ACCESS(p, al);
while(al-- > 0)
printf(" %02x", *p++);
}
printf(" ");
num--;
}
+
+ return 0;
}
@@ -169,7 +196,8 @@ cdp_print_prefixes(const u_char * p, int
printf(" IPv4 Prefixes (%d):", l/5);
while (l > 0) {
- printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4] );
+ if (l >= 5)
+ printf(" %d.%d.%d.%d/%d", p[0], p[1], p[2], p[3], p[4]
);
l-=5; p+=5;
}
}
