freebsd-skq/contrib/tcpdump/print-rrcp.c
glebius 640e6f3b3b Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.

Security:	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security:	CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security:	CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security:	CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security:	CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security:	CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security:	CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security:	CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security:	CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security:	CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security:	CVE-2017-5486
2017-02-01 20:26:42 +00:00

130 lines
4.6 KiB
C

/*
* Copyright (c) 2007 - Andrey "nording" Chernyak <andrew@nording.ru>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* Format and print Realtek Remote Control Protocol (RRCP)
* and Realtek Echo Protocol (RRCP-REP) packets.
*/
/* \summary: Realtek Remote Control Protocol (RRCP) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include "addrtoname.h"
#include "extract.h"
#include "ether.h"
#define RRCP_OPCODE_MASK 0x7F /* 0x00 = hello, 0x01 = get, 0x02 = set */
#define RRCP_ISREPLY 0x80 /* 0 = request to switch, 0x80 = reply from switch */
#define RRCP_PROTO_OFFSET 0 /* proto - 1 byte, must be 1 */
#define RRCP_OPCODE_ISREPLY_OFFSET 1 /* opcode and isreply flag - 1 byte */
#define RRCP_AUTHKEY_OFFSET 2 /* authorization key - 2 bytes, 0x2379 by default */
/* most packets */
#define RRCP_REG_ADDR_OFFSET 4 /* register address - 2 bytes */
#define RRCP_REG_DATA_OFFSET 6 /* register data - 4 bytes */
#define RRCP_COOKIE1_OFFSET 10 /* 4 bytes */
#define RRCP_COOKIE2_OFFSET 14 /* 4 bytes */
/* hello reply packets */
#define RRCP_DOWNLINK_PORT_OFFSET 4 /* 1 byte */
#define RRCP_UPLINK_PORT_OFFSET 5 /* 1 byte */
#define RRCP_UPLINK_MAC_OFFSET 6 /* 6 byte MAC address */
#define RRCP_CHIP_ID_OFFSET 12 /* 2 bytes */
#define RRCP_VENDOR_ID_OFFSET 14 /* 4 bytes */
static const struct tok proto_values[] = {
{ 1, "RRCP" },
{ 2, "RRCP-REP" },
{ 0, NULL }
};
static const struct tok opcode_values[] = {
{ 0, "hello" },
{ 1, "get" },
{ 2, "set" },
{ 0, NULL }
};
/*
* Print RRCP requests
*/
void
rrcp_print(netdissect_options *ndo,
register const u_char *cp,
u_int length _U_,
const struct lladdr_info *src,
const struct lladdr_info *dst)
{
uint8_t rrcp_proto;
uint8_t rrcp_opcode;
ND_TCHECK(*(cp + RRCP_PROTO_OFFSET));
rrcp_proto = *(cp + RRCP_PROTO_OFFSET);
ND_TCHECK(*(cp + RRCP_OPCODE_ISREPLY_OFFSET));
rrcp_opcode = (*(cp + RRCP_OPCODE_ISREPLY_OFFSET)) & RRCP_OPCODE_MASK;
if (src != NULL && dst != NULL) {
ND_PRINT((ndo, "%s > %s, ",
(src->addr_string)(ndo, src->addr),
(dst->addr_string)(ndo, dst->addr)));
}
ND_PRINT((ndo, "%s %s",
tok2str(proto_values,"RRCP-0x%02x",rrcp_proto),
((*(cp + RRCP_OPCODE_ISREPLY_OFFSET)) & RRCP_ISREPLY) ? "reply" : "query"));
if (rrcp_proto==1){
ND_PRINT((ndo, ": %s",
tok2str(opcode_values,"unknown opcode (0x%02x)",rrcp_opcode)));
}
if (rrcp_opcode==1 || rrcp_opcode==2){
ND_TCHECK2(*(cp + RRCP_REG_ADDR_OFFSET), 6);
ND_PRINT((ndo, " addr=0x%04x, data=0x%08x",
EXTRACT_LE_16BITS(cp + RRCP_REG_ADDR_OFFSET),
EXTRACT_LE_32BITS(cp + RRCP_REG_DATA_OFFSET)));
}
if (rrcp_proto==1){
ND_TCHECK2(*(cp + RRCP_AUTHKEY_OFFSET), 2);
ND_PRINT((ndo, ", auth=0x%04x",
EXTRACT_16BITS(cp + RRCP_AUTHKEY_OFFSET)));
}
if (rrcp_proto==1 && rrcp_opcode==0 &&
((*(cp + RRCP_OPCODE_ISREPLY_OFFSET)) & RRCP_ISREPLY)){
ND_TCHECK2(*(cp + RRCP_VENDOR_ID_OFFSET), 4);
ND_PRINT((ndo, " downlink_port=%d, uplink_port=%d, uplink_mac=%s, vendor_id=%08x ,chip_id=%04x ",
*(cp + RRCP_DOWNLINK_PORT_OFFSET),
*(cp + RRCP_UPLINK_PORT_OFFSET),
etheraddr_string(ndo, cp + RRCP_UPLINK_MAC_OFFSET),
EXTRACT_32BITS(cp + RRCP_VENDOR_ID_OFFSET),
EXTRACT_16BITS(cp + RRCP_CHIP_ID_OFFSET)));
}else if (rrcp_opcode==1 || rrcp_opcode==2 || rrcp_proto==2){
ND_TCHECK2(*(cp + RRCP_COOKIE2_OFFSET), 4);
ND_PRINT((ndo, ", cookie=0x%08x%08x ",
EXTRACT_32BITS(cp + RRCP_COOKIE2_OFFSET),
EXTRACT_32BITS(cp + RRCP_COOKIE1_OFFSET)));
}
return;
trunc:
ND_PRINT((ndo, "[|rrcp]"));
}