freebsd-dev/contrib/tcpdump/print-ip6.c
Ed Maste 0bff6a5af8 Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.

One other notable change:
  Do not use getprotobynumber() for protocol name resolution.
  Do not do any protocol name resolution if -n is specified.

Submitted by:	gordon
Reviewed by:	delphij, emaste, glebius
MFC after:	1 week
Relnotes:	Yes
Security:	CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security:	CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security:	CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security:	CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security:	CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security:	CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security:	CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security:	CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security:	CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security:	CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security:	CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security:	CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security:	CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security:	CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security:	CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security:	CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security:	CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security:	CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security:	CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security:	CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security:	CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security:	CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security:	CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security:	CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security:	CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security:	CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security:	CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security:	CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security:	CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security:	CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision:	https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00

424 lines
11 KiB
C

/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
/* \summary: IPv6 printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include <string.h>
#include "netdissect.h"
#include "addrtoname.h"
#include "extract.h"
#include "ip6.h"
#include "ipproto.h"
/*
* If routing headers are presend and valid, set dst to the final destination.
* Otherwise, set it to the IPv6 destination.
*
* This is used for UDP and TCP pseudo-header in the checksum
* calculation.
*/
static void
ip6_finddst(netdissect_options *ndo, struct in6_addr *dst,
const struct ip6_hdr *ip6)
{
const u_char *cp;
int advance;
u_int nh;
const struct in6_addr *dst_addr;
const struct ip6_rthdr *dp;
const struct ip6_rthdr0 *dp0;
const struct in6_addr *addr;
int i, len;
cp = (const u_char *)ip6;
advance = sizeof(struct ip6_hdr);
nh = ip6->ip6_nxt;
dst_addr = &ip6->ip6_dst;
while (cp < ndo->ndo_snapend) {
cp += advance;
switch (nh) {
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_MOBILITY_OLD:
case IPPROTO_MOBILITY:
/*
* These have a header length byte, following
* the next header byte, giving the length of
* the header, in units of 8 octets, excluding
* the first 8 octets.
*/
ND_TCHECK2(*cp, 2);
advance = (int)((*(cp + 1) + 1) << 3);
nh = *cp;
break;
case IPPROTO_FRAGMENT:
/*
* The byte following the next header byte is
* marked as reserved, and the header is always
* the same size.
*/
ND_TCHECK2(*cp, 1);
advance = sizeof(struct ip6_frag);
nh = *cp;
break;
case IPPROTO_ROUTING:
/*
* OK, we found it.
*/
dp = (const struct ip6_rthdr *)cp;
ND_TCHECK(*dp);
len = dp->ip6r_len;
switch (dp->ip6r_type) {
case IPV6_RTHDR_TYPE_0:
case IPV6_RTHDR_TYPE_2: /* Mobile IPv6 ID-20 */
dp0 = (const struct ip6_rthdr0 *)dp;
if (len % 2 == 1)
goto trunc;
len >>= 1;
addr = &dp0->ip6r0_addr[0];
for (i = 0; i < len; i++) {
if ((const u_char *)(addr + 1) > ndo->ndo_snapend)
goto trunc;
dst_addr = addr;
addr++;
}
break;
default:
break;
}
/*
* Only one routing header to a customer.
*/
goto done;
case IPPROTO_AH:
case IPPROTO_ESP:
case IPPROTO_IPCOMP:
default:
/*
* AH and ESP are, in the RFCs that describe them,
* described as being "viewed as an end-to-end
* payload" "in the IPv6 context, so that they
* "should appear after hop-by-hop, routing, and
* fragmentation extension headers". We assume
* that's the case, and stop as soon as we see
* one. (We can't handle an ESP header in
* the general case anyway, as its length depends
* on the encryption algorithm.)
*
* IPComp is also "viewed as an end-to-end
* payload" "in the IPv6 context".
*
* All other protocols are assumed to be the final
* protocol.
*/
goto done;
}
}
done:
trunc:
UNALIGNED_MEMCPY(dst, dst_addr, sizeof(struct in6_addr));
}
/*
* Compute a V6-style checksum by building a pseudoheader.
*/
int
nextproto6_cksum(netdissect_options *ndo,
const struct ip6_hdr *ip6, const uint8_t *data,
u_int len, u_int covlen, u_int next_proto)
{
struct {
struct in6_addr ph_src;
struct in6_addr ph_dst;
uint32_t ph_len;
uint8_t ph_zero[3];
uint8_t ph_nxt;
} ph;
struct cksum_vec vec[2];
/* pseudo-header */
memset(&ph, 0, sizeof(ph));
UNALIGNED_MEMCPY(&ph.ph_src, &ip6->ip6_src, sizeof (struct in6_addr));
switch (ip6->ip6_nxt) {
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_MOBILITY_OLD:
case IPPROTO_MOBILITY:
case IPPROTO_FRAGMENT:
case IPPROTO_ROUTING:
/*
* The next header is either a routing header or a header
* after which there might be a routing header, so scan
* for a routing header.
*/
ip6_finddst(ndo, &ph.ph_dst, ip6);
break;
default:
UNALIGNED_MEMCPY(&ph.ph_dst, &ip6->ip6_dst, sizeof (struct in6_addr));
break;
}
ph.ph_len = htonl(len);
ph.ph_nxt = next_proto;
vec[0].ptr = (const uint8_t *)(void *)&ph;
vec[0].len = sizeof(ph);
vec[1].ptr = data;
vec[1].len = covlen;
return in_cksum(vec, 2);
}
/*
* print an IP6 datagram.
*/
void
ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
{
register const struct ip6_hdr *ip6;
register int advance;
u_int len;
const u_char *ipend;
register const u_char *cp;
register u_int payload_len;
int nh;
int fragmented = 0;
u_int flow;
ip6 = (const struct ip6_hdr *)bp;
ND_TCHECK(*ip6);
if (length < sizeof (struct ip6_hdr)) {
ND_PRINT((ndo, "truncated-ip6 %u", length));
return;
}
if (!ndo->ndo_eflag)
ND_PRINT((ndo, "IP6 "));
if (IP6_VERSION(ip6) != 6) {
ND_PRINT((ndo,"version error: %u != 6", IP6_VERSION(ip6)));
return;
}
payload_len = EXTRACT_16BITS(&ip6->ip6_plen);
len = payload_len + sizeof(struct ip6_hdr);
if (length < len)
ND_PRINT((ndo, "truncated-ip6 - %u bytes missing!",
len - length));
if (ndo->ndo_vflag) {
flow = EXTRACT_32BITS(&ip6->ip6_flow);
ND_PRINT((ndo, "("));
#if 0
/* rfc1883 */
if (flow & 0x0f000000)
ND_PRINT((ndo, "pri 0x%02x, ", (flow & 0x0f000000) >> 24));
if (flow & 0x00ffffff)
ND_PRINT((ndo, "flowlabel 0x%06x, ", flow & 0x00ffffff));
#else
/* RFC 2460 */
if (flow & 0x0ff00000)
ND_PRINT((ndo, "class 0x%02x, ", (flow & 0x0ff00000) >> 20));
if (flow & 0x000fffff)
ND_PRINT((ndo, "flowlabel 0x%05x, ", flow & 0x000fffff));
#endif
ND_PRINT((ndo, "hlim %u, next-header %s (%u) payload length: %u) ",
ip6->ip6_hlim,
tok2str(ipproto_values,"unknown",ip6->ip6_nxt),
ip6->ip6_nxt,
payload_len));
}
/*
* Cut off the snapshot length to the end of the IP payload.
*/
ipend = bp + len;
if (ipend < ndo->ndo_snapend)
ndo->ndo_snapend = ipend;
cp = (const u_char *)ip6;
advance = sizeof(struct ip6_hdr);
nh = ip6->ip6_nxt;
while (cp < ndo->ndo_snapend && advance > 0) {
if (len < (u_int)advance)
goto trunc;
cp += advance;
len -= advance;
if (cp == (const u_char *)(ip6 + 1) &&
nh != IPPROTO_TCP && nh != IPPROTO_UDP &&
nh != IPPROTO_DCCP && nh != IPPROTO_SCTP) {
ND_PRINT((ndo, "%s > %s: ", ip6addr_string(ndo, &ip6->ip6_src),
ip6addr_string(ndo, &ip6->ip6_dst)));
}
switch (nh) {
case IPPROTO_HOPOPTS:
advance = hbhopt_print(ndo, cp);
if (advance < 0)
return;
nh = *cp;
break;
case IPPROTO_DSTOPTS:
advance = dstopt_print(ndo, cp);
if (advance < 0)
return;
nh = *cp;
break;
case IPPROTO_FRAGMENT:
advance = frag6_print(ndo, cp, (const u_char *)ip6);
if (advance < 0 || ndo->ndo_snapend <= cp + advance)
return;
nh = *cp;
fragmented = 1;
break;
case IPPROTO_MOBILITY_OLD:
case IPPROTO_MOBILITY:
/*
* XXX - we don't use "advance"; RFC 3775 says that
* the next header field in a mobility header
* should be IPPROTO_NONE, but speaks of
* the possiblity of a future extension in
* which payload can be piggybacked atop a
* mobility header.
*/
advance = mobility_print(ndo, cp, (const u_char *)ip6);
if (advance < 0)
return;
nh = *cp;
return;
case IPPROTO_ROUTING:
ND_TCHECK(*cp);
advance = rt6_print(ndo, cp, (const u_char *)ip6);
if (advance < 0)
return;
nh = *cp;
break;
case IPPROTO_SCTP:
sctp_print(ndo, cp, (const u_char *)ip6, len);
return;
case IPPROTO_DCCP:
dccp_print(ndo, cp, (const u_char *)ip6, len);
return;
case IPPROTO_TCP:
tcp_print(ndo, cp, len, (const u_char *)ip6, fragmented);
return;
case IPPROTO_UDP:
udp_print(ndo, cp, len, (const u_char *)ip6, fragmented);
return;
case IPPROTO_ICMPV6:
icmp6_print(ndo, cp, len, (const u_char *)ip6, fragmented);
return;
case IPPROTO_AH:
advance = ah_print(ndo, cp);
if (advance < 0)
return;
nh = *cp;
break;
case IPPROTO_ESP:
{
int enh, padlen;
advance = esp_print(ndo, cp, len, (const u_char *)ip6, &enh, &padlen);
if (advance < 0)
return;
nh = enh & 0xff;
len -= padlen;
break;
}
case IPPROTO_IPCOMP:
{
ipcomp_print(ndo, cp);
/*
* Either this has decompressed the payload and
* printed it, in which case there's nothing more
* to do, or it hasn't, in which case there's
* nothing more to do.
*/
advance = -1;
break;
}
case IPPROTO_PIM:
pim_print(ndo, cp, len, (const u_char *)ip6);
return;
case IPPROTO_OSPF:
ospf6_print(ndo, cp, len);
return;
case IPPROTO_IPV6:
ip6_print(ndo, cp, len);
return;
case IPPROTO_IPV4:
ip_print(ndo, cp, len);
return;
case IPPROTO_PGM:
pgm_print(ndo, cp, len, (const u_char *)ip6);
return;
case IPPROTO_GRE:
gre_print(ndo, cp, len);
return;
case IPPROTO_RSVP:
rsvp_print(ndo, cp, len);
return;
case IPPROTO_NONE:
ND_PRINT((ndo, "no next header"));
return;
default:
ND_PRINT((ndo, "ip-proto-%d %d", nh, len));
return;
}
}
return;
trunc:
ND_PRINT((ndo, "[|ip6]"));
}