freebsd-nq/contrib/tcpdump/print-pppoe.c
Gleb Smirnoff 3340d77368 Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.

Security:	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security:	CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security:	CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security:	CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security:	CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security:	CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security:	CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security:	CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security:	CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security:	CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security:	CVE-2017-5486
2017-02-01 20:26:42 +00:00

202 lines
5.7 KiB
C

/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* Original code by Greg Stark <gsstark@mit.edu>
*/
/* \summary: PPP-over-Ethernet (PPPoE) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include "extract.h"
/* Codes */
enum {
PPPOE_PADI = 0x09,
PPPOE_PADO = 0x07,
PPPOE_PADR = 0x19,
PPPOE_PADS = 0x65,
PPPOE_PADT = 0xa7
};
static const struct tok pppoecode2str[] = {
{ PPPOE_PADI, "PADI" },
{ PPPOE_PADO, "PADO" },
{ PPPOE_PADR, "PADR" },
{ PPPOE_PADS, "PADS" },
{ PPPOE_PADT, "PADT" },
{ 0, "" }, /* PPP Data */
{ 0, NULL }
};
/* Tags */
enum {
PPPOE_EOL = 0,
PPPOE_SERVICE_NAME = 0x0101,
PPPOE_AC_NAME = 0x0102,
PPPOE_HOST_UNIQ = 0x0103,
PPPOE_AC_COOKIE = 0x0104,
PPPOE_VENDOR = 0x0105,
PPPOE_RELAY_SID = 0x0110,
PPPOE_MAX_PAYLOAD = 0x0120,
PPPOE_SERVICE_NAME_ERROR = 0x0201,
PPPOE_AC_SYSTEM_ERROR = 0x0202,
PPPOE_GENERIC_ERROR = 0x0203
};
static const struct tok pppoetag2str[] = {
{ PPPOE_EOL, "EOL" },
{ PPPOE_SERVICE_NAME, "Service-Name" },
{ PPPOE_AC_NAME, "AC-Name" },
{ PPPOE_HOST_UNIQ, "Host-Uniq" },
{ PPPOE_AC_COOKIE, "AC-Cookie" },
{ PPPOE_VENDOR, "Vendor-Specific" },
{ PPPOE_RELAY_SID, "Relay-Session-ID" },
{ PPPOE_MAX_PAYLOAD, "PPP-Max-Payload" },
{ PPPOE_SERVICE_NAME_ERROR, "Service-Name-Error" },
{ PPPOE_AC_SYSTEM_ERROR, "AC-System-Error" },
{ PPPOE_GENERIC_ERROR, "Generic-Error" },
{ 0, NULL }
};
#define PPPOE_HDRLEN 6
#define MAXTAGPRINT 80
u_int
pppoe_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, register const u_char *p)
{
return (pppoe_print(ndo, p, h->len));
}
u_int
pppoe_print(netdissect_options *ndo, register const u_char *bp, u_int length)
{
uint16_t pppoe_ver, pppoe_type, pppoe_code, pppoe_sessionid;
u_int pppoe_length;
const u_char *pppoe_packet, *pppoe_payload;
if (length < PPPOE_HDRLEN) {
ND_PRINT((ndo, "truncated-pppoe %u", length));
return (length);
}
length -= PPPOE_HDRLEN;
pppoe_packet = bp;
ND_TCHECK2(*pppoe_packet, PPPOE_HDRLEN);
pppoe_ver = (pppoe_packet[0] & 0xF0) >> 4;
pppoe_type = (pppoe_packet[0] & 0x0F);
pppoe_code = pppoe_packet[1];
pppoe_sessionid = EXTRACT_16BITS(pppoe_packet + 2);
pppoe_length = EXTRACT_16BITS(pppoe_packet + 4);
pppoe_payload = pppoe_packet + PPPOE_HDRLEN;
if (pppoe_ver != 1) {
ND_PRINT((ndo, " [ver %d]",pppoe_ver));
}
if (pppoe_type != 1) {
ND_PRINT((ndo, " [type %d]",pppoe_type));
}
ND_PRINT((ndo, "PPPoE %s", tok2str(pppoecode2str, "PAD-%x", pppoe_code)));
if (pppoe_code == PPPOE_PADI && pppoe_length > 1484 - PPPOE_HDRLEN) {
ND_PRINT((ndo, " [len %u!]",pppoe_length));
}
if (pppoe_length > length) {
ND_PRINT((ndo, " [len %u > %u!]", pppoe_length, length));
pppoe_length = length;
}
if (pppoe_sessionid) {
ND_PRINT((ndo, " [ses 0x%x]", pppoe_sessionid));
}
if (pppoe_code) {
/* PPP session packets don't contain tags */
u_short tag_type = 0xffff, tag_len;
const u_char *p = pppoe_payload;
/*
* loop invariant:
* p points to current tag,
* tag_type is previous tag or 0xffff for first iteration
*/
while (tag_type && p < pppoe_payload + pppoe_length) {
ND_TCHECK2(*p, 4);
tag_type = EXTRACT_16BITS(p);
tag_len = EXTRACT_16BITS(p + 2);
p += 4;
/* p points to tag_value */
if (tag_len) {
unsigned ascii_count = 0, garbage_count = 0;
const u_char *v;
char tag_str[MAXTAGPRINT];
unsigned tag_str_len = 0;
/* TODO print UTF-8 decoded text */
ND_TCHECK2(*p, tag_len);
for (v = p; v < p + tag_len && tag_str_len < MAXTAGPRINT-1; v++)
if (*v >= 32 && *v < 127) {
tag_str[tag_str_len++] = *v;
ascii_count++;
} else {
tag_str[tag_str_len++] = '.';
garbage_count++;
}
tag_str[tag_str_len] = 0;
if (ascii_count > garbage_count) {
ND_PRINT((ndo, " [%s \"%*.*s\"]",
tok2str(pppoetag2str, "TAG-0x%x", tag_type),
(int)tag_str_len,
(int)tag_str_len,
tag_str));
} else {
/* Print hex, not fast to abuse printf but this doesn't get used much */
ND_PRINT((ndo, " [%s 0x", tok2str(pppoetag2str, "TAG-0x%x", tag_type)));
for (v=p; v<p+tag_len; v++) {
ND_PRINT((ndo, "%02X", *v));
}
ND_PRINT((ndo, "]"));
}
} else
ND_PRINT((ndo, " [%s]", tok2str(pppoetag2str,
"TAG-0x%x", tag_type)));
p += tag_len;
/* p points to next tag */
}
return (0);
} else {
/* PPPoE data */
ND_PRINT((ndo, " "));
return (PPPOE_HDRLEN + ppp_print(ndo, pppoe_payload, pppoe_length));
}
trunc:
ND_PRINT((ndo, "[|pppoe]"));
return (PPPOE_HDRLEN);
}