37e2725e53
It contains many fixes, including bounds checking, buffer overflows (in SLIP and bittok2str_internal), buffer over-reads, and infinite loops. One other notable change: Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Submitted by: gordon Reviewed by: delphij, emaste, glebius MFC after: 1 week Relnotes: Yes Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542 Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894 Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897 Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900 Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985 Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988 Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991 Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994 Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997 Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000 Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003 Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006 Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009 Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012 Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015 Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018 Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021 Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024 Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027 Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030 Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033 Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036 Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039 Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042 Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045 Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048 Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051 Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054 Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688 Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725 Differential Revision: https://reviews.freebsd.org/D12404
409 lines
11 KiB
C
409 lines
11 KiB
C
/*
|
|
* Copyright (c) 1998-2011 The TCPDUMP project
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that: (1) source code
|
|
* distributions retain the above copyright notice and this paragraph
|
|
* in its entirety, and (2) distributions including binary code include
|
|
* the above copyright notice and this paragraph in its entirety in
|
|
* the documentation or other materials provided with the distribution.
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND
|
|
* WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
|
|
* LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE.
|
|
*
|
|
* Original code by Hannes Gredler (hannes@gredler.at)
|
|
*/
|
|
|
|
/* \summary: Resource Public Key Infrastructure (RPKI) to Router Protocol printer */
|
|
|
|
/* specification: RFC 6810 */
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <netdissect-stdinc.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include "netdissect.h"
|
|
#include "extract.h"
|
|
#include "addrtoname.h"
|
|
|
|
static const char tstr[] = "[|RPKI-RTR]";
|
|
|
|
/*
|
|
* RPKI/Router PDU header
|
|
*
|
|
* Here's what the PDU header looks like.
|
|
* The length does include the version and length fields.
|
|
*/
|
|
typedef struct rpki_rtr_pdu_ {
|
|
u_char version; /* Version number */
|
|
u_char pdu_type; /* PDU type */
|
|
union {
|
|
u_char session_id[2]; /* Session id */
|
|
u_char error_code[2]; /* Error code */
|
|
} u;
|
|
u_char length[4];
|
|
} rpki_rtr_pdu;
|
|
#define RPKI_RTR_PDU_OVERHEAD (offsetof(rpki_rtr_pdu, rpki_rtr_pdu_msg))
|
|
|
|
/*
|
|
* IPv4 Prefix PDU.
|
|
*/
|
|
typedef struct rpki_rtr_pdu_ipv4_prefix_ {
|
|
rpki_rtr_pdu pdu_header;
|
|
u_char flags;
|
|
u_char prefix_length;
|
|
u_char max_length;
|
|
u_char zero;
|
|
u_char prefix[4];
|
|
u_char as[4];
|
|
} rpki_rtr_pdu_ipv4_prefix;
|
|
|
|
/*
|
|
* IPv6 Prefix PDU.
|
|
*/
|
|
typedef struct rpki_rtr_pdu_ipv6_prefix_ {
|
|
rpki_rtr_pdu pdu_header;
|
|
u_char flags;
|
|
u_char prefix_length;
|
|
u_char max_length;
|
|
u_char zero;
|
|
u_char prefix[16];
|
|
u_char as[4];
|
|
} rpki_rtr_pdu_ipv6_prefix;
|
|
|
|
/*
|
|
* Error report PDU.
|
|
*/
|
|
typedef struct rpki_rtr_pdu_error_report_ {
|
|
rpki_rtr_pdu pdu_header;
|
|
u_char encapsulated_pdu_length[4]; /* Encapsulated PDU length */
|
|
/* Copy of Erroneous PDU (variable, optional) */
|
|
/* Length of Error Text (4 octets in network byte order) */
|
|
/* Arbitrary Text of Error Diagnostic Message (variable, optional) */
|
|
} rpki_rtr_pdu_error_report;
|
|
|
|
/*
|
|
* PDU type codes
|
|
*/
|
|
#define RPKI_RTR_SERIAL_NOTIFY_PDU 0
|
|
#define RPKI_RTR_SERIAL_QUERY_PDU 1
|
|
#define RPKI_RTR_RESET_QUERY_PDU 2
|
|
#define RPKI_RTR_CACHE_RESPONSE_PDU 3
|
|
#define RPKI_RTR_IPV4_PREFIX_PDU 4
|
|
#define RPKI_RTR_IPV6_PREFIX_PDU 6
|
|
#define RPKI_RTR_END_OF_DATA_PDU 7
|
|
#define RPKI_RTR_CACHE_RESET_PDU 8
|
|
#define RPKI_RTR_ERROR_REPORT_PDU 10
|
|
|
|
static const struct tok rpki_rtr_pdu_values[] = {
|
|
{ RPKI_RTR_SERIAL_NOTIFY_PDU, "Serial Notify" },
|
|
{ RPKI_RTR_SERIAL_QUERY_PDU, "Serial Query" },
|
|
{ RPKI_RTR_RESET_QUERY_PDU, "Reset Query" },
|
|
{ RPKI_RTR_CACHE_RESPONSE_PDU, "Cache Response" },
|
|
{ RPKI_RTR_IPV4_PREFIX_PDU, "IPV4 Prefix" },
|
|
{ RPKI_RTR_IPV6_PREFIX_PDU, "IPV6 Prefix" },
|
|
{ RPKI_RTR_END_OF_DATA_PDU, "End of Data" },
|
|
{ RPKI_RTR_CACHE_RESET_PDU, "Cache Reset" },
|
|
{ RPKI_RTR_ERROR_REPORT_PDU, "Error Report" },
|
|
{ 0, NULL}
|
|
};
|
|
|
|
static const struct tok rpki_rtr_error_codes[] = {
|
|
{ 0, "Corrupt Data" },
|
|
{ 1, "Internal Error" },
|
|
{ 2, "No Data Available" },
|
|
{ 3, "Invalid Request" },
|
|
{ 4, "Unsupported Protocol Version" },
|
|
{ 5, "Unsupported PDU Type" },
|
|
{ 6, "Withdrawal of Unknown Record" },
|
|
{ 7, "Duplicate Announcement Received" },
|
|
{ 0, NULL}
|
|
};
|
|
|
|
/*
|
|
* Build a indentation string for a given indentation level.
|
|
* XXX this should be really in util.c
|
|
*/
|
|
static char *
|
|
indent_string (u_int indent)
|
|
{
|
|
static char buf[20];
|
|
u_int idx;
|
|
|
|
idx = 0;
|
|
buf[idx] = '\0';
|
|
|
|
/*
|
|
* Does the static buffer fit ?
|
|
*/
|
|
if (sizeof(buf) < ((indent/8) + (indent %8) + 2)) {
|
|
return buf;
|
|
}
|
|
|
|
/*
|
|
* Heading newline.
|
|
*/
|
|
buf[idx] = '\n';
|
|
idx++;
|
|
|
|
while (indent >= 8) {
|
|
buf[idx] = '\t';
|
|
idx++;
|
|
indent -= 8;
|
|
}
|
|
|
|
while (indent > 0) {
|
|
buf[idx] = ' ';
|
|
idx++;
|
|
indent--;
|
|
}
|
|
|
|
/*
|
|
* Trailing zero.
|
|
*/
|
|
buf[idx] = '\0';
|
|
|
|
return buf;
|
|
}
|
|
|
|
/*
|
|
* Print a single PDU.
|
|
*/
|
|
static u_int
|
|
rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, const u_int len,
|
|
const u_char recurse, const u_int indent)
|
|
{
|
|
const rpki_rtr_pdu *pdu_header;
|
|
u_int pdu_type, pdu_len, hexdump;
|
|
const u_char *msg;
|
|
|
|
/* Protocol Version */
|
|
ND_TCHECK_8BITS(tptr);
|
|
if (*tptr != 0) {
|
|
/* Skip the rest of the input buffer because even if this is
|
|
* a well-formed PDU of a future RPKI-Router protocol version
|
|
* followed by a well-formed PDU of RPKI-Router protocol
|
|
* version 0, there is no way to know exactly how to skip the
|
|
* current PDU.
|
|
*/
|
|
ND_PRINT((ndo, "%sRPKI-RTRv%u (unknown)", indent_string(8), *tptr));
|
|
return len;
|
|
}
|
|
if (len < sizeof(rpki_rtr_pdu)) {
|
|
ND_PRINT((ndo, "(%u bytes is too few to decode)", len));
|
|
goto invalid;
|
|
}
|
|
ND_TCHECK2(*tptr, sizeof(rpki_rtr_pdu));
|
|
pdu_header = (const rpki_rtr_pdu *)tptr;
|
|
pdu_type = pdu_header->pdu_type;
|
|
pdu_len = EXTRACT_32BITS(pdu_header->length);
|
|
/* Do not check bounds with pdu_len yet, do it in the case blocks
|
|
* below to make it possible to decode at least the beginning of
|
|
* a truncated Error Report PDU or a truncated encapsulated PDU.
|
|
*/
|
|
hexdump = FALSE;
|
|
|
|
ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
|
|
indent_string(8),
|
|
pdu_header->version,
|
|
tok2str(rpki_rtr_pdu_values, "Unknown", pdu_type),
|
|
pdu_type, pdu_len));
|
|
if (pdu_len < sizeof(rpki_rtr_pdu) || pdu_len > len)
|
|
goto invalid;
|
|
|
|
switch (pdu_type) {
|
|
|
|
/*
|
|
* The following PDUs share the message format.
|
|
*/
|
|
case RPKI_RTR_SERIAL_NOTIFY_PDU:
|
|
case RPKI_RTR_SERIAL_QUERY_PDU:
|
|
case RPKI_RTR_END_OF_DATA_PDU:
|
|
if (pdu_len != sizeof(rpki_rtr_pdu) + 4)
|
|
goto invalid;
|
|
ND_TCHECK2(*tptr, pdu_len);
|
|
msg = (const u_char *)(pdu_header + 1);
|
|
ND_PRINT((ndo, "%sSession ID: 0x%04x, Serial: %u",
|
|
indent_string(indent+2),
|
|
EXTRACT_16BITS(pdu_header->u.session_id),
|
|
EXTRACT_32BITS(msg)));
|
|
break;
|
|
|
|
/*
|
|
* The following PDUs share the message format.
|
|
*/
|
|
case RPKI_RTR_RESET_QUERY_PDU:
|
|
case RPKI_RTR_CACHE_RESET_PDU:
|
|
if (pdu_len != sizeof(rpki_rtr_pdu))
|
|
goto invalid;
|
|
/* no additional boundary to check */
|
|
|
|
/*
|
|
* Zero payload PDUs.
|
|
*/
|
|
break;
|
|
|
|
case RPKI_RTR_CACHE_RESPONSE_PDU:
|
|
if (pdu_len != sizeof(rpki_rtr_pdu))
|
|
goto invalid;
|
|
/* no additional boundary to check */
|
|
ND_PRINT((ndo, "%sSession ID: 0x%04x",
|
|
indent_string(indent+2),
|
|
EXTRACT_16BITS(pdu_header->u.session_id)));
|
|
break;
|
|
|
|
case RPKI_RTR_IPV4_PREFIX_PDU:
|
|
{
|
|
const rpki_rtr_pdu_ipv4_prefix *pdu;
|
|
|
|
if (pdu_len != sizeof(rpki_rtr_pdu) + 12)
|
|
goto invalid;
|
|
ND_TCHECK2(*tptr, pdu_len);
|
|
pdu = (const rpki_rtr_pdu_ipv4_prefix *)tptr;
|
|
ND_PRINT((ndo, "%sIPv4 Prefix %s/%u-%u, origin-as %u, flags 0x%02x",
|
|
indent_string(indent+2),
|
|
ipaddr_string(ndo, pdu->prefix),
|
|
pdu->prefix_length, pdu->max_length,
|
|
EXTRACT_32BITS(pdu->as), pdu->flags));
|
|
}
|
|
break;
|
|
|
|
case RPKI_RTR_IPV6_PREFIX_PDU:
|
|
{
|
|
const rpki_rtr_pdu_ipv6_prefix *pdu;
|
|
|
|
if (pdu_len != sizeof(rpki_rtr_pdu) + 24)
|
|
goto invalid;
|
|
ND_TCHECK2(*tptr, pdu_len);
|
|
pdu = (const rpki_rtr_pdu_ipv6_prefix *)tptr;
|
|
ND_PRINT((ndo, "%sIPv6 Prefix %s/%u-%u, origin-as %u, flags 0x%02x",
|
|
indent_string(indent+2),
|
|
ip6addr_string(ndo, pdu->prefix),
|
|
pdu->prefix_length, pdu->max_length,
|
|
EXTRACT_32BITS(pdu->as), pdu->flags));
|
|
}
|
|
break;
|
|
|
|
case RPKI_RTR_ERROR_REPORT_PDU:
|
|
{
|
|
const rpki_rtr_pdu_error_report *pdu;
|
|
u_int encapsulated_pdu_length, text_length, tlen, error_code;
|
|
|
|
tlen = sizeof(rpki_rtr_pdu);
|
|
/* Do not test for the "Length of Error Text" data element yet. */
|
|
if (pdu_len < tlen + 4)
|
|
goto invalid;
|
|
ND_TCHECK2(*tptr, tlen + 4);
|
|
/* Safe up to and including the "Length of Encapsulated PDU"
|
|
* data element, more data elements may be present.
|
|
*/
|
|
pdu = (const rpki_rtr_pdu_error_report *)tptr;
|
|
encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
|
|
tlen += 4;
|
|
|
|
error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
|
|
ND_PRINT((ndo, "%sError code: %s (%u), Encapsulated PDU length: %u",
|
|
indent_string(indent+2),
|
|
tok2str(rpki_rtr_error_codes, "Unknown", error_code),
|
|
error_code, encapsulated_pdu_length));
|
|
|
|
if (encapsulated_pdu_length) {
|
|
/* Section 5.10 of RFC 6810 says:
|
|
* "An Error Report PDU MUST NOT be sent for an Error Report PDU."
|
|
*
|
|
* However, as far as the protocol encoding goes Error Report PDUs can
|
|
* happen to be nested in each other, however many times, in which case
|
|
* the decoder should still print such semantically incorrect PDUs.
|
|
*
|
|
* That said, "the Erroneous PDU field MAY be truncated" (ibid), thus
|
|
* to keep things simple this implementation decodes only the two
|
|
* outermost layers of PDUs and makes bounds checks in the outer and
|
|
* the inner PDU independently.
|
|
*/
|
|
if (pdu_len < tlen + encapsulated_pdu_length)
|
|
goto invalid;
|
|
if (! recurse) {
|
|
ND_TCHECK2(*tptr, tlen + encapsulated_pdu_length);
|
|
}
|
|
else {
|
|
ND_PRINT((ndo, "%s-----encapsulated PDU-----", indent_string(indent+4)));
|
|
rpki_rtr_pdu_print(ndo, tptr + tlen,
|
|
encapsulated_pdu_length, 0, indent + 2);
|
|
}
|
|
tlen += encapsulated_pdu_length;
|
|
}
|
|
|
|
if (pdu_len < tlen + 4)
|
|
goto invalid;
|
|
ND_TCHECK2(*tptr, tlen + 4);
|
|
/* Safe up to and including the "Length of Error Text" data element,
|
|
* one more data element may be present.
|
|
*/
|
|
|
|
/*
|
|
* Extract, trail-zero and print the Error message.
|
|
*/
|
|
text_length = EXTRACT_32BITS(tptr + tlen);
|
|
tlen += 4;
|
|
|
|
if (text_length) {
|
|
if (pdu_len < tlen + text_length)
|
|
goto invalid;
|
|
/* fn_printn() makes the bounds check */
|
|
ND_PRINT((ndo, "%sError text: ", indent_string(indent+2)));
|
|
if (fn_printn(ndo, tptr + tlen, text_length, ndo->ndo_snapend))
|
|
goto trunc;
|
|
}
|
|
}
|
|
break;
|
|
|
|
default:
|
|
ND_TCHECK2(*tptr, pdu_len);
|
|
|
|
/*
|
|
* Unknown data, please hexdump.
|
|
*/
|
|
hexdump = TRUE;
|
|
}
|
|
|
|
/* do we also want to see a hex dump ? */
|
|
if (ndo->ndo_vflag > 1 || (ndo->ndo_vflag && hexdump)) {
|
|
print_unknown_data(ndo,tptr,"\n\t ", pdu_len);
|
|
}
|
|
return pdu_len;
|
|
|
|
invalid:
|
|
ND_PRINT((ndo, "%s", istr));
|
|
ND_TCHECK2(*tptr, len);
|
|
return len;
|
|
trunc:
|
|
ND_PRINT((ndo, "\n\t%s", tstr));
|
|
return len;
|
|
}
|
|
|
|
void
|
|
rpki_rtr_print(netdissect_options *ndo, register const u_char *pptr, register u_int len)
|
|
{
|
|
if (!ndo->ndo_vflag) {
|
|
ND_PRINT((ndo, ", RPKI-RTR"));
|
|
return;
|
|
}
|
|
while (len) {
|
|
u_int pdu_len = rpki_rtr_pdu_print(ndo, pptr, len, 1, 8);
|
|
len -= pdu_len;
|
|
pptr += pdu_len;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Local Variables:
|
|
* c-style: whitesmith
|
|
* c-basic-offset: 4
|
|
* End:
|
|
*/
|