freebsd-skq/contrib/tcpdump/print-mpcp.c
Ed Maste 0bff6a5af8 Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.

One other notable change:
  Do not use getprotobynumber() for protocol name resolution.
  Do not do any protocol name resolution if -n is specified.

Submitted by:	gordon
Reviewed by:	delphij, emaste, glebius
MFC after:	1 week
Relnotes:	Yes
Security:	CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security:	CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security:	CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security:	CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security:	CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security:	CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security:	CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security:	CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security:	CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security:	CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security:	CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security:	CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security:	CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security:	CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security:	CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security:	CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security:	CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security:	CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security:	CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security:	CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security:	CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security:	CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security:	CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security:	CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security:	CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security:	CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security:	CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security:	CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security:	CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security:	CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision:	https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00

260 lines
7.9 KiB
C

/*
* Copyright (c) 1998-2006 The TCPDUMP project
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code
* distributions retain the above copyright notice and this paragraph
* in its entirety, and (2) distributions including binary code include
* the above copyright notice and this paragraph in its entirety in
* the documentation or other materials provided with the distribution.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND
* WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
* LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE.
*
* Original code by Hannes Gredler (hannes@gredler.at)
*/
/* \summary: IEEE 802.3ah Multi-Point Control Protocol (MPCP) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include "extract.h"
#define MPCP_TIMESTAMP_LEN 4
#define MPCP_TIMESTAMP_DURATION_LEN 2
struct mpcp_common_header_t {
uint8_t opcode[2];
uint8_t timestamp[MPCP_TIMESTAMP_LEN];
};
#define MPCP_OPCODE_PAUSE 0x0001
#define MPCP_OPCODE_GATE 0x0002
#define MPCP_OPCODE_REPORT 0x0003
#define MPCP_OPCODE_REG_REQ 0x0004
#define MPCP_OPCODE_REG 0x0005
#define MPCP_OPCODE_REG_ACK 0x0006
static const struct tok mpcp_opcode_values[] = {
{ MPCP_OPCODE_PAUSE, "Pause" },
{ MPCP_OPCODE_GATE, "Gate" },
{ MPCP_OPCODE_REPORT, "Report" },
{ MPCP_OPCODE_REG_REQ, "Register Request" },
{ MPCP_OPCODE_REG, "Register" },
{ MPCP_OPCODE_REG_ACK, "Register ACK" },
{ 0, NULL}
};
#define MPCP_GRANT_NUMBER_LEN 1
#define MPCP_GRANT_NUMBER_MASK 0x7
static const struct tok mpcp_grant_flag_values[] = {
{ 0x08, "Discovery" },
{ 0x10, "Force Grant #1" },
{ 0x20, "Force Grant #2" },
{ 0x40, "Force Grant #3" },
{ 0x80, "Force Grant #4" },
{ 0, NULL}
};
struct mpcp_grant_t {
uint8_t starttime[MPCP_TIMESTAMP_LEN];
uint8_t duration[MPCP_TIMESTAMP_DURATION_LEN];
};
struct mpcp_reg_req_t {
uint8_t flags;
uint8_t pending_grants;
};
static const struct tok mpcp_reg_req_flag_values[] = {
{ 1, "Register" },
{ 3, "De-Register" },
{ 0, NULL}
};
struct mpcp_reg_t {
uint8_t assigned_port[2];
uint8_t flags;
uint8_t sync_time[MPCP_TIMESTAMP_DURATION_LEN];
uint8_t echoed_pending_grants;
};
static const struct tok mpcp_reg_flag_values[] = {
{ 1, "Re-Register" },
{ 2, "De-Register" },
{ 3, "ACK" },
{ 4, "NACK" },
{ 0, NULL}
};
#define MPCP_REPORT_QUEUESETS_LEN 1
#define MPCP_REPORT_REPORTBITMAP_LEN 1
static const struct tok mpcp_report_bitmap_values[] = {
{ 0x01, "Q0" },
{ 0x02, "Q1" },
{ 0x04, "Q2" },
{ 0x08, "Q3" },
{ 0x10, "Q4" },
{ 0x20, "Q5" },
{ 0x40, "Q6" },
{ 0x80, "Q7" },
{ 0, NULL}
};
struct mpcp_reg_ack_t {
uint8_t flags;
uint8_t echoed_assigned_port[2];
uint8_t echoed_sync_time[MPCP_TIMESTAMP_DURATION_LEN];
};
static const struct tok mpcp_reg_ack_flag_values[] = {
{ 0, "NACK" },
{ 1, "ACK" },
{ 0, NULL}
};
void
mpcp_print(netdissect_options *ndo, register const u_char *pptr, register u_int length)
{
union {
const struct mpcp_common_header_t *common_header;
const struct mpcp_grant_t *grant;
const struct mpcp_reg_req_t *reg_req;
const struct mpcp_reg_t *reg;
const struct mpcp_reg_ack_t *reg_ack;
} mpcp;
const u_char *tptr;
uint16_t opcode;
uint8_t grant_numbers, grant;
uint8_t queue_sets, queue_set, report_bitmap, report;
tptr=pptr;
mpcp.common_header = (const struct mpcp_common_header_t *)pptr;
ND_TCHECK2(*tptr, sizeof(const struct mpcp_common_header_t));
opcode = EXTRACT_16BITS(mpcp.common_header->opcode);
ND_PRINT((ndo, "MPCP, Opcode %s", tok2str(mpcp_opcode_values, "Unknown (%u)", opcode)));
if (opcode != MPCP_OPCODE_PAUSE) {
ND_PRINT((ndo, ", Timestamp %u ticks", EXTRACT_32BITS(mpcp.common_header->timestamp)));
}
ND_PRINT((ndo, ", length %u", length));
if (!ndo->ndo_vflag)
return;
tptr += sizeof(const struct mpcp_common_header_t);
switch (opcode) {
case MPCP_OPCODE_PAUSE:
break;
case MPCP_OPCODE_GATE:
ND_TCHECK2(*tptr, MPCP_GRANT_NUMBER_LEN);
grant_numbers = *tptr & MPCP_GRANT_NUMBER_MASK;
ND_PRINT((ndo, "\n\tGrant Numbers %u, Flags [ %s ]",
grant_numbers,
bittok2str(mpcp_grant_flag_values,
"?",
*tptr &~ MPCP_GRANT_NUMBER_MASK)));
tptr++;
for (grant = 1; grant <= grant_numbers; grant++) {
ND_TCHECK2(*tptr, sizeof(const struct mpcp_grant_t));
mpcp.grant = (const struct mpcp_grant_t *)tptr;
ND_PRINT((ndo, "\n\tGrant #%u, Start-Time %u ticks, duration %u ticks",
grant,
EXTRACT_32BITS(mpcp.grant->starttime),
EXTRACT_16BITS(mpcp.grant->duration)));
tptr += sizeof(const struct mpcp_grant_t);
}
ND_TCHECK2(*tptr, MPCP_TIMESTAMP_DURATION_LEN);
ND_PRINT((ndo, "\n\tSync-Time %u ticks", EXTRACT_16BITS(tptr)));
break;
case MPCP_OPCODE_REPORT:
ND_TCHECK2(*tptr, MPCP_REPORT_QUEUESETS_LEN);
queue_sets = *tptr;
tptr+=MPCP_REPORT_QUEUESETS_LEN;
ND_PRINT((ndo, "\n\tTotal Queue-Sets %u", queue_sets));
for (queue_set = 1; queue_set < queue_sets; queue_set++) {
ND_TCHECK2(*tptr, MPCP_REPORT_REPORTBITMAP_LEN);
report_bitmap = *(tptr);
ND_PRINT((ndo, "\n\t Queue-Set #%u, Report-Bitmap [ %s ]",
queue_sets,
bittok2str(mpcp_report_bitmap_values, "Unknown", report_bitmap)));
tptr++;
report=1;
while (report_bitmap != 0) {
if (report_bitmap & 1) {
ND_TCHECK2(*tptr, MPCP_TIMESTAMP_DURATION_LEN);
ND_PRINT((ndo, "\n\t Q%u Report, Duration %u ticks",
report,
EXTRACT_16BITS(tptr)));
tptr+=MPCP_TIMESTAMP_DURATION_LEN;
}
report++;
report_bitmap = report_bitmap >> 1;
}
}
break;
case MPCP_OPCODE_REG_REQ:
ND_TCHECK2(*tptr, sizeof(const struct mpcp_reg_req_t));
mpcp.reg_req = (const struct mpcp_reg_req_t *)tptr;
ND_PRINT((ndo, "\n\tFlags [ %s ], Pending-Grants %u",
bittok2str(mpcp_reg_req_flag_values, "Reserved", mpcp.reg_req->flags),
mpcp.reg_req->pending_grants));
break;
case MPCP_OPCODE_REG:
ND_TCHECK2(*tptr, sizeof(const struct mpcp_reg_t));
mpcp.reg = (const struct mpcp_reg_t *)tptr;
ND_PRINT((ndo, "\n\tAssigned-Port %u, Flags [ %s ]" \
"\n\tSync-Time %u ticks, Echoed-Pending-Grants %u",
EXTRACT_16BITS(mpcp.reg->assigned_port),
bittok2str(mpcp_reg_flag_values, "Reserved", mpcp.reg->flags),
EXTRACT_16BITS(mpcp.reg->sync_time),
mpcp.reg->echoed_pending_grants));
break;
case MPCP_OPCODE_REG_ACK:
ND_TCHECK2(*tptr, sizeof(const struct mpcp_reg_ack_t));
mpcp.reg_ack = (const struct mpcp_reg_ack_t *)tptr;
ND_PRINT((ndo, "\n\tEchoed-Assigned-Port %u, Flags [ %s ]" \
"\n\tEchoed-Sync-Time %u ticks",
EXTRACT_16BITS(mpcp.reg_ack->echoed_assigned_port),
bittok2str(mpcp_reg_ack_flag_values, "Reserved", mpcp.reg_ack->flags),
EXTRACT_16BITS(mpcp.reg_ack->echoed_sync_time)));
break;
default:
/* unknown opcode - hexdump for now */
print_unknown_data(ndo,pptr, "\n\t", length);
break;
}
return;
trunc:
ND_PRINT((ndo, "\n\t[|MPCP]"));
}
/*
* Local Variables:
* c-style: whitesmith
* c-basic-offset: 8
* End:
*/