0bff6a5af8
It contains many fixes, including bounds checking, buffer overflows (in SLIP and bittok2str_internal), buffer over-reads, and infinite loops. One other notable change: Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Submitted by: gordon Reviewed by: delphij, emaste, glebius MFC after: 1 week Relnotes: Yes Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542 Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894 Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897 Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900 Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985 Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988 Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991 Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994 Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997 Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000 Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003 Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006 Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009 Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012 Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015 Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018 Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021 Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024 Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027 Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030 Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033 Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036 Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039 Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042 Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045 Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048 Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051 Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054 Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688 Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725 Differential Revision: https://reviews.freebsd.org/D12404
423 lines
9.7 KiB
C
423 lines
9.7 KiB
C
/* $OpenBSD: print-gre.c,v 1.6 2002/10/30 03:04:04 fgsch Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2002 Jason L. Wright (jason@thought.net)
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by Jason L. Wright
|
|
* 4. The name of the author may not be used to endorse or promote products
|
|
* derived from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/* \summary: Generic Routing Encapsulation (GRE) printer */
|
|
|
|
/*
|
|
* netdissect printer for GRE - Generic Routing Encapsulation
|
|
* RFC1701 (GRE), RFC1702 (GRE IPv4), and RFC2637 (Enhanced GRE)
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <netdissect-stdinc.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include "netdissect.h"
|
|
#include "addrtostr.h"
|
|
#include "extract.h"
|
|
#include "ethertype.h"
|
|
|
|
static const char tstr[] = "[|gre]";
|
|
|
|
#define GRE_CP 0x8000 /* checksum present */
|
|
#define GRE_RP 0x4000 /* routing present */
|
|
#define GRE_KP 0x2000 /* key present */
|
|
#define GRE_SP 0x1000 /* sequence# present */
|
|
#define GRE_sP 0x0800 /* source routing */
|
|
#define GRE_RECRS 0x0700 /* recursion count */
|
|
#define GRE_AP 0x0080 /* acknowledgment# present */
|
|
|
|
static const struct tok gre_flag_values[] = {
|
|
{ GRE_CP, "checksum present"},
|
|
{ GRE_RP, "routing present"},
|
|
{ GRE_KP, "key present"},
|
|
{ GRE_SP, "sequence# present"},
|
|
{ GRE_sP, "source routing present"},
|
|
{ GRE_RECRS, "recursion count"},
|
|
{ GRE_AP, "ack present"},
|
|
{ 0, NULL }
|
|
};
|
|
|
|
#define GRE_VERS_MASK 0x0007 /* protocol version */
|
|
|
|
/* source route entry types */
|
|
#define GRESRE_IP 0x0800 /* IP */
|
|
#define GRESRE_ASN 0xfffe /* ASN */
|
|
|
|
static void gre_print_0(netdissect_options *, const u_char *, u_int);
|
|
static void gre_print_1(netdissect_options *, const u_char *, u_int);
|
|
static int gre_sre_print(netdissect_options *, uint16_t, uint8_t, uint8_t, const u_char *, u_int);
|
|
static int gre_sre_ip_print(netdissect_options *, uint8_t, uint8_t, const u_char *, u_int);
|
|
static int gre_sre_asn_print(netdissect_options *, uint8_t, uint8_t, const u_char *, u_int);
|
|
|
|
void
|
|
gre_print(netdissect_options *ndo, const u_char *bp, u_int length)
|
|
{
|
|
u_int len = length, vers;
|
|
|
|
ND_TCHECK2(*bp, 2);
|
|
if (len < 2)
|
|
goto trunc;
|
|
vers = EXTRACT_16BITS(bp) & GRE_VERS_MASK;
|
|
ND_PRINT((ndo, "GREv%u",vers));
|
|
|
|
switch(vers) {
|
|
case 0:
|
|
gre_print_0(ndo, bp, len);
|
|
break;
|
|
case 1:
|
|
gre_print_1(ndo, bp, len);
|
|
break;
|
|
default:
|
|
ND_PRINT((ndo, " ERROR: unknown-version"));
|
|
break;
|
|
}
|
|
return;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, "%s", tstr));
|
|
return;
|
|
}
|
|
|
|
static void
|
|
gre_print_0(netdissect_options *ndo, const u_char *bp, u_int length)
|
|
{
|
|
u_int len = length;
|
|
uint16_t flags, prot;
|
|
|
|
flags = EXTRACT_16BITS(bp);
|
|
if (ndo->ndo_vflag)
|
|
ND_PRINT((ndo, ", Flags [%s]",
|
|
bittok2str(gre_flag_values,"none",flags)));
|
|
|
|
len -= 2;
|
|
bp += 2;
|
|
|
|
ND_TCHECK2(*bp, 2);
|
|
if (len < 2)
|
|
goto trunc;
|
|
prot = EXTRACT_16BITS(bp);
|
|
len -= 2;
|
|
bp += 2;
|
|
|
|
if ((flags & GRE_CP) | (flags & GRE_RP)) {
|
|
ND_TCHECK2(*bp, 2);
|
|
if (len < 2)
|
|
goto trunc;
|
|
if (ndo->ndo_vflag)
|
|
ND_PRINT((ndo, ", sum 0x%x", EXTRACT_16BITS(bp)));
|
|
bp += 2;
|
|
len -= 2;
|
|
|
|
ND_TCHECK2(*bp, 2);
|
|
if (len < 2)
|
|
goto trunc;
|
|
ND_PRINT((ndo, ", off 0x%x", EXTRACT_16BITS(bp)));
|
|
bp += 2;
|
|
len -= 2;
|
|
}
|
|
|
|
if (flags & GRE_KP) {
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
ND_PRINT((ndo, ", key=0x%x", EXTRACT_32BITS(bp)));
|
|
bp += 4;
|
|
len -= 4;
|
|
}
|
|
|
|
if (flags & GRE_SP) {
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
ND_PRINT((ndo, ", seq %u", EXTRACT_32BITS(bp)));
|
|
bp += 4;
|
|
len -= 4;
|
|
}
|
|
|
|
if (flags & GRE_RP) {
|
|
for (;;) {
|
|
uint16_t af;
|
|
uint8_t sreoff;
|
|
uint8_t srelen;
|
|
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
af = EXTRACT_16BITS(bp);
|
|
sreoff = *(bp + 2);
|
|
srelen = *(bp + 3);
|
|
bp += 4;
|
|
len -= 4;
|
|
|
|
if (af == 0 && srelen == 0)
|
|
break;
|
|
|
|
if (!gre_sre_print(ndo, af, sreoff, srelen, bp, len))
|
|
goto trunc;
|
|
|
|
if (len < srelen)
|
|
goto trunc;
|
|
bp += srelen;
|
|
len -= srelen;
|
|
}
|
|
}
|
|
|
|
if (ndo->ndo_eflag)
|
|
ND_PRINT((ndo, ", proto %s (0x%04x)",
|
|
tok2str(ethertype_values,"unknown",prot),
|
|
prot));
|
|
|
|
ND_PRINT((ndo, ", length %u",length));
|
|
|
|
if (ndo->ndo_vflag < 1)
|
|
ND_PRINT((ndo, ": ")); /* put in a colon as protocol demarc */
|
|
else
|
|
ND_PRINT((ndo, "\n\t")); /* if verbose go multiline */
|
|
|
|
switch (prot) {
|
|
case ETHERTYPE_IP:
|
|
ip_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_IPV6:
|
|
ip6_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_MPLS:
|
|
mpls_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_IPX:
|
|
ipx_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_ATALK:
|
|
atalk_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_GRE_ISO:
|
|
isoclns_print(ndo, bp, len);
|
|
break;
|
|
case ETHERTYPE_TEB:
|
|
ether_print(ndo, bp, len, ndo->ndo_snapend - bp, NULL, NULL);
|
|
break;
|
|
default:
|
|
ND_PRINT((ndo, "gre-proto-0x%x", prot));
|
|
}
|
|
return;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, "%s", tstr));
|
|
}
|
|
|
|
static void
|
|
gre_print_1(netdissect_options *ndo, const u_char *bp, u_int length)
|
|
{
|
|
u_int len = length;
|
|
uint16_t flags, prot;
|
|
|
|
flags = EXTRACT_16BITS(bp);
|
|
len -= 2;
|
|
bp += 2;
|
|
|
|
if (ndo->ndo_vflag)
|
|
ND_PRINT((ndo, ", Flags [%s]",
|
|
bittok2str(gre_flag_values,"none",flags)));
|
|
|
|
ND_TCHECK2(*bp, 2);
|
|
if (len < 2)
|
|
goto trunc;
|
|
prot = EXTRACT_16BITS(bp);
|
|
len -= 2;
|
|
bp += 2;
|
|
|
|
|
|
if (flags & GRE_KP) {
|
|
uint32_t k;
|
|
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
k = EXTRACT_32BITS(bp);
|
|
ND_PRINT((ndo, ", call %d", k & 0xffff));
|
|
len -= 4;
|
|
bp += 4;
|
|
}
|
|
|
|
if (flags & GRE_SP) {
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
ND_PRINT((ndo, ", seq %u", EXTRACT_32BITS(bp)));
|
|
bp += 4;
|
|
len -= 4;
|
|
}
|
|
|
|
if (flags & GRE_AP) {
|
|
ND_TCHECK2(*bp, 4);
|
|
if (len < 4)
|
|
goto trunc;
|
|
ND_PRINT((ndo, ", ack %u", EXTRACT_32BITS(bp)));
|
|
bp += 4;
|
|
len -= 4;
|
|
}
|
|
|
|
if ((flags & GRE_SP) == 0)
|
|
ND_PRINT((ndo, ", no-payload"));
|
|
|
|
if (ndo->ndo_eflag)
|
|
ND_PRINT((ndo, ", proto %s (0x%04x)",
|
|
tok2str(ethertype_values,"unknown",prot),
|
|
prot));
|
|
|
|
ND_PRINT((ndo, ", length %u",length));
|
|
|
|
if ((flags & GRE_SP) == 0)
|
|
return;
|
|
|
|
if (ndo->ndo_vflag < 1)
|
|
ND_PRINT((ndo, ": ")); /* put in a colon as protocol demarc */
|
|
else
|
|
ND_PRINT((ndo, "\n\t")); /* if verbose go multiline */
|
|
|
|
switch (prot) {
|
|
case ETHERTYPE_PPP:
|
|
ppp_print(ndo, bp, len);
|
|
break;
|
|
default:
|
|
ND_PRINT((ndo, "gre-proto-0x%x", prot));
|
|
break;
|
|
}
|
|
return;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, "%s", tstr));
|
|
}
|
|
|
|
static int
|
|
gre_sre_print(netdissect_options *ndo, uint16_t af, uint8_t sreoff,
|
|
uint8_t srelen, const u_char *bp, u_int len)
|
|
{
|
|
int ret;
|
|
|
|
switch (af) {
|
|
case GRESRE_IP:
|
|
ND_PRINT((ndo, ", (rtaf=ip"));
|
|
ret = gre_sre_ip_print(ndo, sreoff, srelen, bp, len);
|
|
ND_PRINT((ndo, ")"));
|
|
break;
|
|
case GRESRE_ASN:
|
|
ND_PRINT((ndo, ", (rtaf=asn"));
|
|
ret = gre_sre_asn_print(ndo, sreoff, srelen, bp, len);
|
|
ND_PRINT((ndo, ")"));
|
|
break;
|
|
default:
|
|
ND_PRINT((ndo, ", (rtaf=0x%x)", af));
|
|
ret = 1;
|
|
}
|
|
return (ret);
|
|
}
|
|
|
|
static int
|
|
gre_sre_ip_print(netdissect_options *ndo, uint8_t sreoff, uint8_t srelen,
|
|
const u_char *bp, u_int len)
|
|
{
|
|
const u_char *up = bp;
|
|
char buf[INET_ADDRSTRLEN];
|
|
|
|
if (sreoff & 3) {
|
|
ND_PRINT((ndo, ", badoffset=%u", sreoff));
|
|
return (1);
|
|
}
|
|
if (srelen & 3) {
|
|
ND_PRINT((ndo, ", badlength=%u", srelen));
|
|
return (1);
|
|
}
|
|
if (sreoff >= srelen) {
|
|
ND_PRINT((ndo, ", badoff/len=%u/%u", sreoff, srelen));
|
|
return (1);
|
|
}
|
|
|
|
while (srelen != 0) {
|
|
if (!ND_TTEST2(*bp, 4))
|
|
return (0);
|
|
if (len < 4)
|
|
return (0);
|
|
|
|
addrtostr(bp, buf, sizeof(buf));
|
|
ND_PRINT((ndo, " %s%s",
|
|
((bp - up) == sreoff) ? "*" : "", buf));
|
|
|
|
bp += 4;
|
|
len -= 4;
|
|
srelen -= 4;
|
|
}
|
|
return (1);
|
|
}
|
|
|
|
static int
|
|
gre_sre_asn_print(netdissect_options *ndo, uint8_t sreoff, uint8_t srelen,
|
|
const u_char *bp, u_int len)
|
|
{
|
|
const u_char *up = bp;
|
|
|
|
if (sreoff & 1) {
|
|
ND_PRINT((ndo, ", badoffset=%u", sreoff));
|
|
return (1);
|
|
}
|
|
if (srelen & 1) {
|
|
ND_PRINT((ndo, ", badlength=%u", srelen));
|
|
return (1);
|
|
}
|
|
if (sreoff >= srelen) {
|
|
ND_PRINT((ndo, ", badoff/len=%u/%u", sreoff, srelen));
|
|
return (1);
|
|
}
|
|
|
|
while (srelen != 0) {
|
|
if (!ND_TTEST2(*bp, 2))
|
|
return (0);
|
|
if (len < 2)
|
|
return (0);
|
|
|
|
ND_PRINT((ndo, " %s%x",
|
|
((bp - up) == sreoff) ? "*" : "",
|
|
EXTRACT_16BITS(bp)));
|
|
|
|
bp += 2;
|
|
len -= 2;
|
|
srelen -= 2;
|
|
}
|
|
return (1);
|
|
}
|