37e2725e53
It contains many fixes, including bounds checking, buffer overflows (in SLIP and bittok2str_internal), buffer over-reads, and infinite loops. One other notable change: Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Submitted by: gordon Reviewed by: delphij, emaste, glebius MFC after: 1 week Relnotes: Yes Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542 Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894 Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897 Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900 Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985 Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988 Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991 Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994 Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997 Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000 Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003 Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006 Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009 Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012 Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015 Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018 Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021 Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024 Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027 Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030 Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033 Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036 Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039 Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042 Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045 Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048 Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051 Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054 Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688 Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725 Differential Revision: https://reviews.freebsd.org/D12404
337 lines
8.0 KiB
C
337 lines
8.0 KiB
C
/*
|
|
* Decode and print Zephyr packets.
|
|
*
|
|
* http://web.mit.edu/zephyr/doc/protocol
|
|
*
|
|
* Copyright (c) 2001 Nickolai Zeldovich <kolya@MIT.EDU>
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that: (1) source code
|
|
* distributions retain the above copyright notice and this paragraph
|
|
* in its entirety, and (2) distributions including binary code include
|
|
* the above copyright notice and this paragraph in its entirety in
|
|
* the documentation or other materials provided with the distribution.
|
|
* The name of the author(s) may not be used to endorse or promote
|
|
* products derived from this software without specific prior written
|
|
* permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE.
|
|
*/
|
|
|
|
/* \summary: Zephyr printer */
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <netdissect-stdinc.h>
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "netdissect.h"
|
|
|
|
struct z_packet {
|
|
const char *version;
|
|
int numfields;
|
|
int kind;
|
|
const char *uid;
|
|
int port;
|
|
int auth;
|
|
int authlen;
|
|
const char *authdata;
|
|
const char *class;
|
|
const char *inst;
|
|
const char *opcode;
|
|
const char *sender;
|
|
const char *recipient;
|
|
const char *format;
|
|
int cksum;
|
|
int multi;
|
|
const char *multi_uid;
|
|
/* Other fields follow here.. */
|
|
};
|
|
|
|
enum z_packet_type {
|
|
Z_PACKET_UNSAFE = 0,
|
|
Z_PACKET_UNACKED,
|
|
Z_PACKET_ACKED,
|
|
Z_PACKET_HMACK,
|
|
Z_PACKET_HMCTL,
|
|
Z_PACKET_SERVACK,
|
|
Z_PACKET_SERVNAK,
|
|
Z_PACKET_CLIENTACK,
|
|
Z_PACKET_STAT
|
|
};
|
|
|
|
static const struct tok z_types[] = {
|
|
{ Z_PACKET_UNSAFE, "unsafe" },
|
|
{ Z_PACKET_UNACKED, "unacked" },
|
|
{ Z_PACKET_ACKED, "acked" },
|
|
{ Z_PACKET_HMACK, "hm-ack" },
|
|
{ Z_PACKET_HMCTL, "hm-ctl" },
|
|
{ Z_PACKET_SERVACK, "serv-ack" },
|
|
{ Z_PACKET_SERVNAK, "serv-nak" },
|
|
{ Z_PACKET_CLIENTACK, "client-ack" },
|
|
{ Z_PACKET_STAT, "stat" },
|
|
{ 0, NULL }
|
|
};
|
|
|
|
static char z_buf[256];
|
|
|
|
static const char *
|
|
parse_field(netdissect_options *ndo, const char **pptr, int *len, int *truncated)
|
|
{
|
|
const char *s;
|
|
|
|
/* Start of string */
|
|
s = *pptr;
|
|
/* Scan for the NUL terminator */
|
|
for (;;) {
|
|
if (*len == 0) {
|
|
/* Ran out of packet data without finding it */
|
|
return NULL;
|
|
}
|
|
if (!ND_TTEST(**pptr)) {
|
|
/* Ran out of captured data without finding it */
|
|
*truncated = 1;
|
|
return NULL;
|
|
}
|
|
if (**pptr == '\0') {
|
|
/* Found it */
|
|
break;
|
|
}
|
|
/* Keep scanning */
|
|
(*pptr)++;
|
|
(*len)--;
|
|
}
|
|
/* Skip the NUL terminator */
|
|
(*pptr)++;
|
|
(*len)--;
|
|
return s;
|
|
}
|
|
|
|
static const char *
|
|
z_triple(const char *class, const char *inst, const char *recipient)
|
|
{
|
|
if (!*recipient)
|
|
recipient = "*";
|
|
snprintf(z_buf, sizeof(z_buf), "<%s,%s,%s>", class, inst, recipient);
|
|
z_buf[sizeof(z_buf)-1] = '\0';
|
|
return z_buf;
|
|
}
|
|
|
|
static const char *
|
|
str_to_lower(const char *string)
|
|
{
|
|
char *zb_string;
|
|
|
|
strncpy(z_buf, string, sizeof(z_buf));
|
|
z_buf[sizeof(z_buf)-1] = '\0';
|
|
|
|
zb_string = z_buf;
|
|
while (*zb_string) {
|
|
*zb_string = tolower((unsigned char)(*zb_string));
|
|
zb_string++;
|
|
}
|
|
|
|
return z_buf;
|
|
}
|
|
|
|
void
|
|
zephyr_print(netdissect_options *ndo, const u_char *cp, int length)
|
|
{
|
|
struct z_packet z;
|
|
const char *parse = (const char *) cp;
|
|
int parselen = length;
|
|
const char *s;
|
|
int lose = 0;
|
|
int truncated = 0;
|
|
|
|
/* squelch compiler warnings */
|
|
|
|
z.kind = 0;
|
|
z.class = 0;
|
|
z.inst = 0;
|
|
z.opcode = 0;
|
|
z.sender = 0;
|
|
z.recipient = 0;
|
|
|
|
#define PARSE_STRING \
|
|
s = parse_field(ndo, &parse, &parselen, &truncated); \
|
|
if (truncated) goto trunc; \
|
|
if (!s) lose = 1;
|
|
|
|
#define PARSE_FIELD_INT(field) \
|
|
PARSE_STRING \
|
|
if (!lose) field = strtol(s, 0, 16);
|
|
|
|
#define PARSE_FIELD_STR(field) \
|
|
PARSE_STRING \
|
|
if (!lose) field = s;
|
|
|
|
PARSE_FIELD_STR(z.version);
|
|
if (lose) return;
|
|
if (strncmp(z.version, "ZEPH", 4))
|
|
return;
|
|
|
|
PARSE_FIELD_INT(z.numfields);
|
|
PARSE_FIELD_INT(z.kind);
|
|
PARSE_FIELD_STR(z.uid);
|
|
PARSE_FIELD_INT(z.port);
|
|
PARSE_FIELD_INT(z.auth);
|
|
PARSE_FIELD_INT(z.authlen);
|
|
PARSE_FIELD_STR(z.authdata);
|
|
PARSE_FIELD_STR(z.class);
|
|
PARSE_FIELD_STR(z.inst);
|
|
PARSE_FIELD_STR(z.opcode);
|
|
PARSE_FIELD_STR(z.sender);
|
|
PARSE_FIELD_STR(z.recipient);
|
|
PARSE_FIELD_STR(z.format);
|
|
PARSE_FIELD_INT(z.cksum);
|
|
PARSE_FIELD_INT(z.multi);
|
|
PARSE_FIELD_STR(z.multi_uid);
|
|
|
|
if (lose)
|
|
goto trunc;
|
|
|
|
ND_PRINT((ndo, " zephyr"));
|
|
if (strncmp(z.version+4, "0.2", 3)) {
|
|
ND_PRINT((ndo, " v%s", z.version+4));
|
|
return;
|
|
}
|
|
|
|
ND_PRINT((ndo, " %s", tok2str(z_types, "type %d", z.kind)));
|
|
if (z.kind == Z_PACKET_SERVACK) {
|
|
/* Initialization to silence warnings */
|
|
const char *ackdata = NULL;
|
|
PARSE_FIELD_STR(ackdata);
|
|
if (!lose && strcmp(ackdata, "SENT"))
|
|
ND_PRINT((ndo, "/%s", str_to_lower(ackdata)));
|
|
}
|
|
if (*z.sender) ND_PRINT((ndo, " %s", z.sender));
|
|
|
|
if (!strcmp(z.class, "USER_LOCATE")) {
|
|
if (!strcmp(z.opcode, "USER_HIDE"))
|
|
ND_PRINT((ndo, " hide"));
|
|
else if (!strcmp(z.opcode, "USER_UNHIDE"))
|
|
ND_PRINT((ndo, " unhide"));
|
|
else
|
|
ND_PRINT((ndo, " locate %s", z.inst));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.class, "ZEPHYR_ADMIN")) {
|
|
ND_PRINT((ndo, " zephyr-admin %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.class, "ZEPHYR_CTL")) {
|
|
if (!strcmp(z.inst, "CLIENT")) {
|
|
if (!strcmp(z.opcode, "SUBSCRIBE") ||
|
|
!strcmp(z.opcode, "SUBSCRIBE_NODEFS") ||
|
|
!strcmp(z.opcode, "UNSUBSCRIBE")) {
|
|
|
|
ND_PRINT((ndo, " %ssub%s", strcmp(z.opcode, "SUBSCRIBE") ? "un" : "",
|
|
strcmp(z.opcode, "SUBSCRIBE_NODEFS") ? "" :
|
|
"-nodefs"));
|
|
if (z.kind != Z_PACKET_SERVACK) {
|
|
/* Initialization to silence warnings */
|
|
const char *c = NULL, *i = NULL, *r = NULL;
|
|
PARSE_FIELD_STR(c);
|
|
PARSE_FIELD_STR(i);
|
|
PARSE_FIELD_STR(r);
|
|
if (!lose) ND_PRINT((ndo, " %s", z_triple(c, i, r)));
|
|
}
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.opcode, "GIMME")) {
|
|
ND_PRINT((ndo, " ret"));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.opcode, "GIMMEDEFS")) {
|
|
ND_PRINT((ndo, " gimme-defs"));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.opcode, "CLEARSUB")) {
|
|
ND_PRINT((ndo, " clear-subs"));
|
|
return;
|
|
}
|
|
|
|
ND_PRINT((ndo, " %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.inst, "HM")) {
|
|
ND_PRINT((ndo, " %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.inst, "REALM")) {
|
|
if (!strcmp(z.opcode, "ADD_SUBSCRIBE"))
|
|
ND_PRINT((ndo, " realm add-subs"));
|
|
if (!strcmp(z.opcode, "REQ_SUBSCRIBE"))
|
|
ND_PRINT((ndo, " realm req-subs"));
|
|
if (!strcmp(z.opcode, "RLM_SUBSCRIBE"))
|
|
ND_PRINT((ndo, " realm rlm-sub"));
|
|
if (!strcmp(z.opcode, "RLM_UNSUBSCRIBE"))
|
|
ND_PRINT((ndo, " realm rlm-unsub"));
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (!strcmp(z.class, "HM_CTL")) {
|
|
ND_PRINT((ndo, " hm_ctl %s", str_to_lower(z.inst)));
|
|
ND_PRINT((ndo, " %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.class, "HM_STAT")) {
|
|
if (!strcmp(z.inst, "HMST_CLIENT") && !strcmp(z.opcode, "GIMMESTATS")) {
|
|
ND_PRINT((ndo, " get-client-stats"));
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (!strcmp(z.class, "WG_CTL")) {
|
|
ND_PRINT((ndo, " wg_ctl %s", str_to_lower(z.inst)));
|
|
ND_PRINT((ndo, " %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.class, "LOGIN")) {
|
|
if (!strcmp(z.opcode, "USER_FLUSH")) {
|
|
ND_PRINT((ndo, " flush_locs"));
|
|
return;
|
|
}
|
|
|
|
if (!strcmp(z.opcode, "NONE") ||
|
|
!strcmp(z.opcode, "OPSTAFF") ||
|
|
!strcmp(z.opcode, "REALM-VISIBLE") ||
|
|
!strcmp(z.opcode, "REALM-ANNOUNCED") ||
|
|
!strcmp(z.opcode, "NET-VISIBLE") ||
|
|
!strcmp(z.opcode, "NET-ANNOUNCED")) {
|
|
ND_PRINT((ndo, " set-exposure %s", str_to_lower(z.opcode)));
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (!*z.recipient)
|
|
z.recipient = "*";
|
|
|
|
ND_PRINT((ndo, " to %s", z_triple(z.class, z.inst, z.recipient)));
|
|
if (*z.opcode)
|
|
ND_PRINT((ndo, " op %s", z.opcode));
|
|
return;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, " [|zephyr] (%d)", length));
|
|
return;
|
|
}
|