freebsd-nq/contrib/tcpdump/print-resp.c
Gleb Smirnoff 3340d77368 Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.

Security:	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security:	CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security:	CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security:	CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security:	CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security:	CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security:	CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security:	CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security:	CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security:	CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security:	CVE-2017-5486
2017-02-01 20:26:42 +00:00

539 lines
16 KiB
C

/*
* Copyright (c) 2015 The TCPDUMP project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* Initial contribution by Andrew Darqui (andrew.darqui@gmail.com).
*/
/* \summary: REdis Serialization Protocol (RESP) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include <limits.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include "extract.h"
static const char tstr[] = " [|RESP]";
/*
* For information regarding RESP, see: http://redis.io/topics/protocol
*/
#define RESP_SIMPLE_STRING '+'
#define RESP_ERROR '-'
#define RESP_INTEGER ':'
#define RESP_BULK_STRING '$'
#define RESP_ARRAY '*'
#define resp_print_empty(ndo) ND_PRINT((ndo, " empty"))
#define resp_print_null(ndo) ND_PRINT((ndo, " null"))
#define resp_print_length_too_large(ndo) ND_PRINT((ndo, " length too large"))
#define resp_print_length_negative(ndo) ND_PRINT((ndo, " length negative and not -1"))
#define resp_print_invalid(ndo) ND_PRINT((ndo, " invalid"))
void resp_print(netdissect_options *, const u_char *, u_int);
static int resp_parse(netdissect_options *, register const u_char *, int);
static int resp_print_string_error_integer(netdissect_options *, register const u_char *, int);
static int resp_print_simple_string(netdissect_options *, register const u_char *, int);
static int resp_print_integer(netdissect_options *, register const u_char *, int);
static int resp_print_error(netdissect_options *, register const u_char *, int);
static int resp_print_bulk_string(netdissect_options *, register const u_char *, int);
static int resp_print_bulk_array(netdissect_options *, register const u_char *, int);
static int resp_print_inline(netdissect_options *, register const u_char *, int);
static int resp_get_length(netdissect_options *, register const u_char *, int, const u_char **);
#define LCHECK2(_tot_len, _len) \
{ \
if (_tot_len < _len) \
goto trunc; \
}
#define LCHECK(_tot_len) LCHECK2(_tot_len, 1)
/*
* FIND_CRLF:
* Attempts to move our 'ptr' forward until a \r\n is found,
* while also making sure we don't exceed the buffer '_len'
* or go past the end of the captured data.
* If we exceed or go past the end of the captured data,
* jump to trunc.
*/
#define FIND_CRLF(_ptr, _len) \
for (;;) { \
LCHECK2(_len, 2); \
ND_TCHECK2(*_ptr, 2); \
if (*_ptr == '\r' && *(_ptr+1) == '\n') \
break; \
_ptr++; \
_len--; \
}
/*
* CONSUME_CRLF
* Consume a CRLF that we've just found.
*/
#define CONSUME_CRLF(_ptr, _len) \
_ptr += 2; \
_len -= 2;
/*
* FIND_CR_OR_LF
* Attempts to move our '_ptr' forward until a \r or \n is found,
* while also making sure we don't exceed the buffer '_len'
* or go past the end of the captured data.
* If we exceed or go past the end of the captured data,
* jump to trunc.
*/
#define FIND_CR_OR_LF(_ptr, _len) \
for (;;) { \
LCHECK(_len); \
ND_TCHECK(*_ptr); \
if (*_ptr == '\r' || *_ptr == '\n') \
break; \
_ptr++; \
_len--; \
}
/*
* CONSUME_CR_OR_LF
* Consume all consecutive \r and \n bytes.
* If we exceed '_len' or go past the end of the captured data,
* jump to trunc.
*/
#define CONSUME_CR_OR_LF(_ptr, _len) \
{ \
int _found_cr_or_lf = 0; \
for (;;) { \
/* \
* Have we hit the end of data? \
*/ \
if (_len == 0 || !ND_TTEST(*_ptr)) { \
/* \
* Yes. Have we seen a \r \
* or \n? \
*/ \
if (_found_cr_or_lf) { \
/* \
* Yes. Just stop. \
*/ \
break; \
} \
/* \
* No. We ran out of packet. \
*/ \
goto trunc; \
} \
if (*_ptr != '\r' && *_ptr != '\n') \
break; \
_found_cr_or_lf = 1; \
_ptr++; \
_len--; \
} \
}
/*
* SKIP_OPCODE
* Skip over the opcode character.
* The opcode has already been fetched, so we know it's there, and don't
* need to do any checks.
*/
#define SKIP_OPCODE(_ptr, _tot_len) \
_ptr++; \
_tot_len--;
/*
* GET_LENGTH
* Get a bulk string or array length.
*/
#define GET_LENGTH(_ndo, _tot_len, _ptr, _len) \
{ \
const u_char *_endp; \
_len = resp_get_length(_ndo, _ptr, _tot_len, &_endp); \
_tot_len -= (_endp - _ptr); \
_ptr = _endp; \
}
/*
* TEST_RET_LEN
* If ret_len is < 0, jump to the trunc tag which returns (-1)
* and 'bubbles up' to printing tstr. Otherwise, return ret_len.
*/
#define TEST_RET_LEN(rl) \
if (rl < 0) { goto trunc; } else { return rl; }
/*
* TEST_RET_LEN_NORETURN
* If ret_len is < 0, jump to the trunc tag which returns (-1)
* and 'bubbles up' to printing tstr. Otherwise, continue onward.
*/
#define TEST_RET_LEN_NORETURN(rl) \
if (rl < 0) { goto trunc; }
/*
* RESP_PRINT_SEGMENT
* Prints a segment in the form of: ' "<stuff>"\n"
* Assumes the data has already been verified as present.
*/
#define RESP_PRINT_SEGMENT(_ndo, _bp, _len) \
ND_PRINT((_ndo, " \"")); \
if (fn_printn(_ndo, _bp, _len, _ndo->ndo_snapend)) \
goto trunc; \
fn_print_char(_ndo, '"');
void
resp_print(netdissect_options *ndo, const u_char *bp, u_int length)
{
int ret_len = 0, length_cur = length;
if(!bp || length <= 0)
return;
ND_PRINT((ndo, ": RESP"));
while (length_cur > 0) {
/*
* This block supports redis pipelining.
* For example, multiple operations can be pipelined within the same string:
* "*2\r\n\$4\r\nINCR\r\n\$1\r\nz\r\n*2\r\n\$4\r\nINCR\r\n\$1\r\nz\r\n*2\r\n\$4\r\nINCR\r\n\$1\r\nz\r\n"
* or
* "PING\r\nPING\r\nPING\r\n"
* In order to handle this case, we must try and parse 'bp' until
* 'length' bytes have been processed or we reach a trunc condition.
*/
ret_len = resp_parse(ndo, bp, length_cur);
TEST_RET_LEN_NORETURN(ret_len);
bp += ret_len;
length_cur -= ret_len;
}
return;
trunc:
ND_PRINT((ndo, "%s", tstr));
}
static int
resp_parse(netdissect_options *ndo, register const u_char *bp, int length)
{
u_char op;
int ret_len;
LCHECK2(length, 1);
ND_TCHECK(*bp);
op = *bp;
/* bp now points to the op, so these routines must skip it */
switch(op) {
case RESP_SIMPLE_STRING: ret_len = resp_print_simple_string(ndo, bp, length); break;
case RESP_INTEGER: ret_len = resp_print_integer(ndo, bp, length); break;
case RESP_ERROR: ret_len = resp_print_error(ndo, bp, length); break;
case RESP_BULK_STRING: ret_len = resp_print_bulk_string(ndo, bp, length); break;
case RESP_ARRAY: ret_len = resp_print_bulk_array(ndo, bp, length); break;
default: ret_len = resp_print_inline(ndo, bp, length); break;
}
/*
* This gives up with a "truncated" indicator for all errors,
* including invalid packet errors; that's what we want, as
* we have to give up on further parsing in that case.
*/
TEST_RET_LEN(ret_len);
trunc:
return (-1);
}
static int
resp_print_simple_string(netdissect_options *ndo, register const u_char *bp, int length) {
return resp_print_string_error_integer(ndo, bp, length);
}
static int
resp_print_integer(netdissect_options *ndo, register const u_char *bp, int length) {
return resp_print_string_error_integer(ndo, bp, length);
}
static int
resp_print_error(netdissect_options *ndo, register const u_char *bp, int length) {
return resp_print_string_error_integer(ndo, bp, length);
}
static int
resp_print_string_error_integer(netdissect_options *ndo, register const u_char *bp, int length) {
int length_cur = length, len, ret_len;
const u_char *bp_ptr;
/* bp points to the op; skip it */
SKIP_OPCODE(bp, length_cur);
bp_ptr = bp;
/*
* bp now prints past the (+-;) opcode, so it's pointing to the first
* character of the string (which could be numeric).
* +OK\r\n
* -ERR ...\r\n
* :02912309\r\n
*
* Find the \r\n with FIND_CRLF().
*/
FIND_CRLF(bp_ptr, length_cur);
/*
* bp_ptr points to the \r\n, so bp_ptr - bp is the length of text
* preceding the \r\n. That includes the opcode, so don't print
* that.
*/
len = (bp_ptr - bp);
RESP_PRINT_SEGMENT(ndo, bp, len);
ret_len = 1 /*<opcode>*/ + len /*<string>*/ + 2 /*<CRLF>*/;
TEST_RET_LEN(ret_len);
trunc:
return (-1);
}
static int
resp_print_bulk_string(netdissect_options *ndo, register const u_char *bp, int length) {
int length_cur = length, string_len;
/* bp points to the op; skip it */
SKIP_OPCODE(bp, length_cur);
/* <length>\r\n */
GET_LENGTH(ndo, length_cur, bp, string_len);
if (string_len >= 0) {
/* Byte string of length string_len, starting at bp */
if (string_len == 0)
resp_print_empty(ndo);
else {
LCHECK2(length_cur, string_len);
ND_TCHECK2(*bp, string_len);
RESP_PRINT_SEGMENT(ndo, bp, string_len);
bp += string_len;
length_cur -= string_len;
}
/*
* Find the \r\n at the end of the string and skip past it.
* XXX - report an error if the \r\n isn't immediately after
* the item?
*/
FIND_CRLF(bp, length_cur);
CONSUME_CRLF(bp, length_cur);
} else {
/* null, truncated, or invalid for some reason */
switch(string_len) {
case (-1): resp_print_null(ndo); break;
case (-2): goto trunc;
case (-3): resp_print_length_too_large(ndo); break;
case (-4): resp_print_length_negative(ndo); break;
default: resp_print_invalid(ndo); break;
}
}
return (length - length_cur);
trunc:
return (-1);
}
static int
resp_print_bulk_array(netdissect_options *ndo, register const u_char *bp, int length) {
u_int length_cur = length;
int array_len, i, ret_len;
/* bp points to the op; skip it */
SKIP_OPCODE(bp, length_cur);
/* <array_length>\r\n */
GET_LENGTH(ndo, length_cur, bp, array_len);
if (array_len > 0) {
/* non empty array */
for (i = 0; i < array_len; i++) {
ret_len = resp_parse(ndo, bp, length_cur);
TEST_RET_LEN_NORETURN(ret_len);
bp += ret_len;
length_cur -= ret_len;
}
} else {
/* empty, null, truncated, or invalid */
switch(array_len) {
case 0: resp_print_empty(ndo); break;
case (-1): resp_print_null(ndo); break;
case (-2): goto trunc;
case (-3): resp_print_length_too_large(ndo); break;
case (-4): resp_print_length_negative(ndo); break;
default: resp_print_invalid(ndo); break;
}
}
return (length - length_cur);
trunc:
return (-1);
}
static int
resp_print_inline(netdissect_options *ndo, register const u_char *bp, int length) {
int length_cur = length;
int len;
const u_char *bp_ptr;
/*
* Inline commands are simply 'strings' followed by \r or \n or both.
* Redis will do its best to split/parse these strings.
* This feature of redis is implemented to support the ability of
* command parsing from telnet/nc sessions etc.
*
* <string><\r||\n||\r\n...>
*/
/*
* Skip forward past any leading \r, \n, or \r\n.
*/
CONSUME_CR_OR_LF(bp, length_cur);
bp_ptr = bp;
/*
* Scan forward looking for \r or \n.
*/
FIND_CR_OR_LF(bp_ptr, length_cur);
/*
* Found it; bp_ptr points to the \r or \n, so bp_ptr - bp is the
* Length of the line text that preceeds it. Print it.
*/
len = (bp_ptr - bp);
RESP_PRINT_SEGMENT(ndo, bp, len);
/*
* Skip forward past the \r, \n, or \r\n.
*/
CONSUME_CR_OR_LF(bp_ptr, length_cur);
/*
* Return the number of bytes we processed.
*/
return (length - length_cur);
trunc:
return (-1);
}
static int
resp_get_length(netdissect_options *ndo, register const u_char *bp, int len, const u_char **endp)
{
int result;
u_char c;
int saw_digit;
int neg;
int too_large;
if (len == 0)
goto trunc;
ND_TCHECK(*bp);
too_large = 0;
neg = 0;
if (*bp == '-') {
neg = 1;
bp++;
len--;
}
result = 0;
saw_digit = 0;
for (;;) {
if (len == 0)
goto trunc;
ND_TCHECK(*bp);
c = *bp;
if (!(c >= '0' && c <= '9')) {
if (!saw_digit)
goto invalid;
break;
}
c -= '0';
if (result > (INT_MAX / 10)) {
/* This will overflow an int when we multiply it by 10. */
too_large = 1;
} else {
result *= 10;
if (result == INT_MAX && c > (INT_MAX % 10)) {
/* This will overflow an int when we add c */
too_large = 1;
} else
result += c;
}
bp++;
len--;
saw_digit = 1;
}
if (!saw_digit)
goto invalid;
/*
* OK, the next thing should be \r\n.
*/
if (len == 0)
goto trunc;
ND_TCHECK(*bp);
if (*bp != '\r')
goto invalid;
bp++;
len--;
if (len == 0)
goto trunc;
ND_TCHECK(*bp);
if (*bp != '\n')
goto invalid;
bp++;
len--;
*endp = bp;
if (neg) {
/* -1 means "null", anything else is invalid */
if (too_large || result != 1)
return (-4);
result = -1;
}
return (too_large ? -3 : result);
trunc:
return (-2);
invalid:
return (-5);
}