glebius 640e6f3b3b Update tcpdump to 4.9.0.
It fixes many buffer overflow in different protocol parsers, but none of
them are critical, even in absense of Capsicum.

Security:	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925
Security:	CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929
Security:	CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933
Security:	CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937
Security:	CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973
Security:	CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984
Security:	CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993
Security:	CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203
Security:	CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342
Security:	CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485
Security:	CVE-2017-5486
2017-02-01 20:26:42 +00:00

274 lines
9.2 KiB
C

/*
* Copyright (c) 1989, 1990, 1991, 1993, 1994, 1996
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
/* \summary: Routing Information Protocol (RIP) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include <stdio.h>
#include "netdissect.h"
#include "addrtoname.h"
#include "extract.h"
#include "af.h"
static const char tstr[] = "[|rip]";
struct rip {
uint8_t rip_cmd; /* request/response */
uint8_t rip_vers; /* protocol version # */
uint8_t unused[2]; /* unused */
};
#define RIPCMD_REQUEST 1 /* want info */
#define RIPCMD_RESPONSE 2 /* responding to request */
#define RIPCMD_TRACEON 3 /* turn tracing on */
#define RIPCMD_TRACEOFF 4 /* turn it off */
#define RIPCMD_POLL 5 /* want info from everybody */
#define RIPCMD_POLLENTRY 6 /* poll for entry */
static const struct tok rip_cmd_values[] = {
{ RIPCMD_REQUEST, "Request" },
{ RIPCMD_RESPONSE, "Response" },
{ RIPCMD_TRACEON, "Trace on" },
{ RIPCMD_TRACEOFF, "Trace off" },
{ RIPCMD_POLL, "Poll" },
{ RIPCMD_POLLENTRY, "Poll Entry" },
{ 0, NULL}
};
#define RIP_AUTHLEN 16
#define RIP_ROUTELEN 20
/*
* rfc 1723
*
* 0 1 2 3 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Command (1) | Version (1) | unused |
* +---------------+---------------+-------------------------------+
* | Address Family Identifier (2) | Route Tag (2) |
* +-------------------------------+-------------------------------+
* | IP Address (4) |
* +---------------------------------------------------------------+
* | Subnet Mask (4) |
* +---------------------------------------------------------------+
* | Next Hop (4) |
* +---------------------------------------------------------------+
* | Metric (4) |
* +---------------------------------------------------------------+
*
*/
struct rip_netinfo {
uint16_t rip_family;
uint16_t rip_tag;
uint32_t rip_dest;
uint32_t rip_dest_mask;
uint32_t rip_router;
uint32_t rip_metric; /* cost of route */
};
static void
rip_entry_print_v1(netdissect_options *ndo,
register const struct rip_netinfo *ni)
{
register u_short family;
/* RFC 1058 */
family = EXTRACT_16BITS(&ni->rip_family);
if (family != BSD_AFNUM_INET && family != 0) {
ND_PRINT((ndo, "\n\t AFI %s, ", tok2str(bsd_af_values, "Unknown (%u)", family)));
print_unknown_data(ndo, (const uint8_t *)&ni->rip_family, "\n\t ", RIP_ROUTELEN);
return;
}
if (EXTRACT_16BITS(&ni->rip_tag) ||
EXTRACT_32BITS(&ni->rip_dest_mask) ||
EXTRACT_32BITS(&ni->rip_router)) {
/* MBZ fields not zero */
print_unknown_data(ndo, (const uint8_t *)&ni->rip_family, "\n\t ", RIP_ROUTELEN);
return;
}
if (family == 0) {
ND_PRINT((ndo, "\n\t AFI 0, %s, metric: %u",
ipaddr_string(ndo, &ni->rip_dest),
EXTRACT_32BITS(&ni->rip_metric)));
return;
} /* BSD_AFNUM_INET */
ND_PRINT((ndo, "\n\t %s, metric: %u",
ipaddr_string(ndo, &ni->rip_dest),
EXTRACT_32BITS(&ni->rip_metric)));
}
static unsigned
rip_entry_print_v2(netdissect_options *ndo,
register const struct rip_netinfo *ni, const unsigned remaining)
{
register u_short family;
family = EXTRACT_16BITS(&ni->rip_family);
if (family == 0xFFFF) { /* variable-sized authentication structures */
uint16_t auth_type = EXTRACT_16BITS(&ni->rip_tag);
if (auth_type == 2) {
register const u_char *p = (const u_char *)&ni->rip_dest;
u_int i = 0;
ND_PRINT((ndo, "\n\t Simple Text Authentication data: "));
for (; i < RIP_AUTHLEN; p++, i++)
ND_PRINT((ndo, "%c", ND_ISPRINT(*p) ? *p : '.'));
} else if (auth_type == 3) {
ND_PRINT((ndo, "\n\t Auth header:"));
ND_PRINT((ndo, " Packet Len %u,", EXTRACT_16BITS((const uint8_t *)ni + 4)));
ND_PRINT((ndo, " Key-ID %u,", *((const uint8_t *)ni + 6)));
ND_PRINT((ndo, " Auth Data Len %u,", *((const uint8_t *)ni + 7)));
ND_PRINT((ndo, " SeqNo %u,", EXTRACT_32BITS(&ni->rip_dest_mask)));
ND_PRINT((ndo, " MBZ %u,", EXTRACT_32BITS(&ni->rip_router)));
ND_PRINT((ndo, " MBZ %u", EXTRACT_32BITS(&ni->rip_metric)));
} else if (auth_type == 1) {
ND_PRINT((ndo, "\n\t Auth trailer:"));
print_unknown_data(ndo, (const uint8_t *)&ni->rip_dest, "\n\t ", remaining);
return remaining; /* AT spans till the packet end */
} else {
ND_PRINT((ndo, "\n\t Unknown (%u) Authentication data:",
EXTRACT_16BITS(&ni->rip_tag)));
print_unknown_data(ndo, (const uint8_t *)&ni->rip_dest, "\n\t ", remaining);
}
} else if (family != BSD_AFNUM_INET && family != 0) {
ND_PRINT((ndo, "\n\t AFI %s", tok2str(bsd_af_values, "Unknown (%u)", family)));
print_unknown_data(ndo, (const uint8_t *)&ni->rip_tag, "\n\t ", RIP_ROUTELEN-2);
} else { /* BSD_AFNUM_INET or AFI 0 */
ND_PRINT((ndo, "\n\t AFI %s, %15s/%-2d, tag 0x%04x, metric: %u, next-hop: ",
tok2str(bsd_af_values, "%u", family),
ipaddr_string(ndo, &ni->rip_dest),
mask2plen(EXTRACT_32BITS(&ni->rip_dest_mask)),
EXTRACT_16BITS(&ni->rip_tag),
EXTRACT_32BITS(&ni->rip_metric)));
if (EXTRACT_32BITS(&ni->rip_router))
ND_PRINT((ndo, "%s", ipaddr_string(ndo, &ni->rip_router)));
else
ND_PRINT((ndo, "self"));
}
return sizeof (*ni);
}
void
rip_print(netdissect_options *ndo,
const u_char *dat, u_int length)
{
register const struct rip *rp;
register const struct rip_netinfo *ni;
register u_int i, j;
if (ndo->ndo_snapend < dat) {
ND_PRINT((ndo, " %s", tstr));
return;
}
i = ndo->ndo_snapend - dat;
if (i > length)
i = length;
if (i < sizeof(*rp)) {
ND_PRINT((ndo, " %s", tstr));
return;
}
i -= sizeof(*rp);
rp = (const struct rip *)dat;
ND_PRINT((ndo, "%sRIPv%u",
(ndo->ndo_vflag >= 1) ? "\n\t" : "",
rp->rip_vers));
switch (rp->rip_vers) {
case 0:
/*
* RFC 1058.
*
* XXX - RFC 1058 says
*
* 0 Datagrams whose version number is zero are to be ignored.
* These are from a previous version of the protocol, whose
* packet format was machine-specific.
*
* so perhaps we should just dump the packet, in hex.
*/
print_unknown_data(ndo, (const uint8_t *)&rp->rip_cmd, "\n\t", length);
break;
default:
/* dump version and lets see if we know the commands name*/
ND_PRINT((ndo, ", %s, length: %u",
tok2str(rip_cmd_values,
"unknown command (%u)",
rp->rip_cmd),
length));
if (ndo->ndo_vflag < 1)
return;
switch (rp->rip_cmd) {
case RIPCMD_REQUEST:
case RIPCMD_RESPONSE:
j = length / sizeof(*ni);
ND_PRINT((ndo, ", routes: %u%s", j, rp->rip_vers == 2 ? " or less" : ""));
ni = (const struct rip_netinfo *)(rp + 1);
for (; i >= sizeof(*ni); ++ni) {
if (rp->rip_vers == 1)
{
rip_entry_print_v1(ndo, ni);
i -= sizeof(*ni);
}
else if (rp->rip_vers == 2)
i -= rip_entry_print_v2(ndo, ni, i);
else
break;
}
if (i)
ND_PRINT((ndo, "%s", tstr));
break;
case RIPCMD_TRACEOFF:
case RIPCMD_POLL:
case RIPCMD_POLLENTRY:
break;
case RIPCMD_TRACEON:
/* fall through */
default:
if (ndo->ndo_vflag <= 1) {
if(!print_unknown_data(ndo, (const uint8_t *)rp, "\n\t", length))
return;
}
break;
}
/* do we want to see an additionally hexdump ? */
if (ndo->ndo_vflag> 1) {
if(!print_unknown_data(ndo, (const uint8_t *)rp, "\n\t", length))
return;
}
}
}