0bff6a5af8
It contains many fixes, including bounds checking, buffer overflows (in SLIP and bittok2str_internal), buffer over-reads, and infinite loops. One other notable change: Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Submitted by: gordon Reviewed by: delphij, emaste, glebius MFC after: 1 week Relnotes: Yes Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542 Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894 Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897 Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900 Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985 Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988 Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991 Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994 Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997 Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000 Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003 Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006 Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009 Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012 Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015 Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018 Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021 Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024 Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027 Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030 Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033 Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036 Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039 Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042 Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045 Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048 Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051 Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054 Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688 Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725 Differential Revision: https://reviews.freebsd.org/D12404
214 lines
5.6 KiB
C
214 lines
5.6 KiB
C
/*
|
|
* Copyright (c) 1999 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by the Kungliga Tekniska
|
|
* Högskolan and its contributors.
|
|
*
|
|
* 4. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <netdissect-stdinc.h>
|
|
#include "addrtostr.h"
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
#ifndef IN6ADDRSZ
|
|
#define IN6ADDRSZ 16 /* IPv6 T_AAAA */
|
|
#endif
|
|
|
|
#ifndef INT16SZ
|
|
#define INT16SZ 2 /* word size */
|
|
#endif
|
|
|
|
const char *
|
|
addrtostr (const void *src, char *dst, size_t size)
|
|
{
|
|
const u_char *srcaddr = (const u_char *)src;
|
|
const char digits[] = "0123456789";
|
|
int i;
|
|
const char *orig_dst = dst;
|
|
|
|
if (size < INET_ADDRSTRLEN) {
|
|
errno = ENOSPC;
|
|
return NULL;
|
|
}
|
|
for (i = 0; i < 4; ++i) {
|
|
int n = *srcaddr++;
|
|
int non_zerop = 0;
|
|
|
|
if (non_zerop || n / 100 > 0) {
|
|
*dst++ = digits[n / 100];
|
|
n %= 100;
|
|
non_zerop = 1;
|
|
}
|
|
if (non_zerop || n / 10 > 0) {
|
|
*dst++ = digits[n / 10];
|
|
n %= 10;
|
|
non_zerop = 1;
|
|
}
|
|
*dst++ = digits[n];
|
|
if (i != 3)
|
|
*dst++ = '.';
|
|
}
|
|
*dst++ = '\0';
|
|
return orig_dst;
|
|
}
|
|
|
|
/*
|
|
* Convert IPv6 binary address into presentation (printable) format.
|
|
*/
|
|
const char *
|
|
addrtostr6 (const void *src, char *dst, size_t size)
|
|
{
|
|
/*
|
|
* Note that int32_t and int16_t need only be "at least" large enough
|
|
* to contain a value of the specified size. On some systems, like
|
|
* Crays, there is no such thing as an integer variable with 16 bits.
|
|
* Keep this in mind if you think this function should have been coded
|
|
* to use pointer overlays. All the world's not a VAX.
|
|
*/
|
|
const u_char *srcaddr = (const u_char *)src;
|
|
char *dp;
|
|
size_t space_left, added_space;
|
|
int snprintfed;
|
|
struct {
|
|
int base;
|
|
int len;
|
|
} best, cur;
|
|
uint16_t words [IN6ADDRSZ / INT16SZ];
|
|
int i;
|
|
|
|
/* Preprocess:
|
|
* Copy the input (bytewise) array into a wordwise array.
|
|
* Find the longest run of 0x00's in src[] for :: shorthanding.
|
|
*/
|
|
for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++)
|
|
words[i] = (srcaddr[2*i] << 8) | srcaddr[2*i + 1];
|
|
|
|
best.len = 0;
|
|
best.base = -1;
|
|
cur.len = 0;
|
|
cur.base = -1;
|
|
for (i = 0; i < (int)(IN6ADDRSZ / INT16SZ); i++)
|
|
{
|
|
if (words[i] == 0)
|
|
{
|
|
if (cur.base == -1)
|
|
cur.base = i, cur.len = 1;
|
|
else cur.len++;
|
|
}
|
|
else if (cur.base != -1)
|
|
{
|
|
if (best.base == -1 || cur.len > best.len)
|
|
best = cur;
|
|
cur.base = -1;
|
|
}
|
|
}
|
|
if ((cur.base != -1) && (best.base == -1 || cur.len > best.len))
|
|
best = cur;
|
|
if (best.base != -1 && best.len < 2)
|
|
best.base = -1;
|
|
|
|
/* Format the result.
|
|
*/
|
|
dp = dst;
|
|
space_left = size;
|
|
#define APPEND_CHAR(c) \
|
|
{ \
|
|
if (space_left == 0) { \
|
|
errno = ENOSPC; \
|
|
return (NULL); \
|
|
} \
|
|
*dp++ = c; \
|
|
space_left--; \
|
|
}
|
|
for (i = 0; i < (int)(IN6ADDRSZ / INT16SZ); i++)
|
|
{
|
|
/* Are we inside the best run of 0x00's?
|
|
*/
|
|
if (best.base != -1 && i >= best.base && i < (best.base + best.len))
|
|
{
|
|
if (i == best.base)
|
|
APPEND_CHAR(':');
|
|
continue;
|
|
}
|
|
|
|
/* Are we following an initial run of 0x00s or any real hex?
|
|
*/
|
|
if (i != 0)
|
|
APPEND_CHAR(':');
|
|
|
|
/* Is this address an encapsulated IPv4?
|
|
*/
|
|
if (i == 6 && best.base == 0 &&
|
|
(best.len == 6 || (best.len == 5 && words[5] == 0xffff)))
|
|
{
|
|
if (!addrtostr(srcaddr+12, dp, space_left))
|
|
{
|
|
errno = ENOSPC;
|
|
return (NULL);
|
|
}
|
|
added_space = strlen(dp);
|
|
dp += added_space;
|
|
space_left -= added_space;
|
|
break;
|
|
}
|
|
snprintfed = snprintf (dp, space_left, "%x", words[i]);
|
|
if (snprintfed < 0)
|
|
return (NULL);
|
|
if ((size_t) snprintfed >= space_left)
|
|
{
|
|
errno = ENOSPC;
|
|
return (NULL);
|
|
}
|
|
dp += snprintfed;
|
|
space_left -= snprintfed;
|
|
}
|
|
|
|
/* Was it a trailing run of 0x00's?
|
|
*/
|
|
if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ))
|
|
APPEND_CHAR(':');
|
|
APPEND_CHAR('\0');
|
|
|
|
return (dst);
|
|
}
|