tcpdump/0001-Clean-up-error-message-printing.patch
Lars Vogdt b56a2c3b3f Accepting request 284472 from home:vitezslav_cizek:branches:network:utilities
- fix CVE-2014-8767 (bnc#905870)
  * denial of service in verbose mode using malformed OLSR payload
  * added tcpdump-CVE-2014-8767.patch
- fix CVE-2014-8768 (bnc#905871)
  * denial of service in verbose mode using malformed Geonet payload
  * added tcpdump-CVE-2014-8768.patch
- fix CVE-2014-8769 (bnc#905872)
  * unreliable output using malformed AOVD payload
  * added tcpdump-CVE-2014-8769.patch
  * added 0001-Clean-up-error-message-printing.patch

OBS-URL: https://build.opensuse.org/request/show/284472
OBS-URL: https://build.opensuse.org/package/show/network:utilities/tcpdump?expand=0&rev=23
2015-02-10 09:23:34 +00:00

191 lines
5.8 KiB
Diff

From 3e8a443c3671baa37ae7870f08fb9b4bf386fd24 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 11 Nov 2014 18:37:35 -0800
Subject: [PATCH] Clean up error message printing.
Have "struct aodv_rerr" just be the header, not including the actual
destinations.
Simplify the logic somewhat, and make it similar in the print routines
for the three types of error messages.
---
print-aodv.c | 88 +++++++++++++++++++++++++++++++-----------------------------
1 file changed, 46 insertions(+), 42 deletions(-)
diff --git a/print-aodv.c b/print-aodv.c
index da5b169..da26473 100644
--- a/print-aodv.c
+++ b/print-aodv.c
@@ -146,13 +146,6 @@ struct aodv_rerr {
uint8_t rerr_flags; /* various flags */
uint8_t rerr_zero0; /* reserved, set to zero */
uint8_t rerr_dc; /* destination count */
- union {
- struct rerr_unreach dest[1];
-#ifdef INET6
- struct rerr_unreach6 dest6[1];
- struct rerr_unreach6_draft_01 dest6_draft_01[1];
-#endif
- } r;
};
#define RERR_NODELETE 0x80 /* don't delete the link */
@@ -284,32 +277,29 @@ static void
aodv_rerr(netdissect_options *ndo,
const struct aodv_rerr *ap, const u_char *dat, u_int length)
{
- u_int i;
- const struct rerr_unreach *dp = NULL;
- int n, trunc;
+ u_int i, dc;
+ const struct rerr_unreach *dp;
if (ndo->ndo_snapend < dat) {
ND_PRINT((ndo, " [|aodv]"));
return;
}
i = min(length, (u_int)(ndo->ndo_snapend - dat));
- if (i < offsetof(struct aodv_rerr, r)) {
+ if (i < sizeof(*ap)) {
ND_PRINT((ndo, " [|rerr]"));
return;
}
- i -= offsetof(struct aodv_rerr, r);
- dp = &ap->r.dest[0];
- n = ap->rerr_dc * sizeof(ap->r.dest[0]);
+ i -= sizeof(*ap);
ND_PRINT((ndo, " rerr %s [items %u] [%u]:",
ap->rerr_flags & RERR_NODELETE ? "[D]" : "",
ap->rerr_dc, length));
- trunc = n - (i/sizeof(ap->r.dest[0]));
- for (; i >= sizeof(ap->r.dest[0]);
- ++dp, i -= sizeof(ap->r.dest[0])) {
+ dp = (struct rerr_unreach *)(void *)(ap + 1);
+ for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp);
+ ++dp, --dc, i -= sizeof(*dp)) {
ND_PRINT((ndo, " {%s}(%ld)", ipaddr_string(ndo, &dp->u_da),
(unsigned long)EXTRACT_32BITS(&dp->u_ds)));
}
- if (trunc)
+ if ((i % sizeof(*dp)) != 0)
ND_PRINT((ndo, "[|rerr]"));
}
@@ -397,29 +387,36 @@ aodv_v6_rrep(netdissect_options *ndo,
static void
#ifdef INET6
aodv_v6_rerr(netdissect_options *ndo,
- const struct aodv_rerr *ap, u_int length)
+ const struct aodv_rerr *ap, const u_char *dat, u_int length)
#else
aodv_v6_rerr(netdissect_options *ndo,
- const struct aodv_rerr *ap _U_, u_int length)
+ const struct aodv_rerr *ap _U_, const u_char *dat, u_int length)
#endif
{
#ifdef INET6
- const struct rerr_unreach6 *dp6 = NULL;
- int i, j, n, trunc;
+ u_int i, dc;
+ const struct rerr_unreach6 *dp6;
- i = length - offsetof(struct aodv_rerr, r);
- j = sizeof(ap->r.dest6[0]);
- dp6 = &ap->r.dest6[0];
- n = ap->rerr_dc * j;
+ if (ndo->ndo_snapend < dat) {
+ ND_PRINT((ndo, " [|aodv]"));
+ return;
+ }
+ i = min(length, (u_int)(ndo->ndo_snapend - dat));
+ if (i < sizeof(*ap)) {
+ ND_PRINT((ndo, " [|rerr]"));
+ return;
+ }
+ i -= sizeof(*ap);
ND_PRINT((ndo, " rerr %s [items %u] [%u]:",
ap->rerr_flags & RERR_NODELETE ? "[D]" : "",
ap->rerr_dc, length));
- trunc = n - (i/j);
- for (; i -= j >= 0; ++dp6) {
+ dp6 = (struct rerr_unreach6 *)(void *)(ap + 1);
+ for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);
+ ++dp6, --dc, i -= sizeof(*dp6)) {
ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
(unsigned long)EXTRACT_32BITS(&dp6->u_ds)));
}
- if (trunc)
+ if ((i % sizeof(*dp6)) != 0)
ND_PRINT((ndo, "[|rerr]"));
#else
ND_PRINT((ndo, " rerr %u", length));
@@ -510,29 +507,36 @@ aodv_v6_draft_01_rrep(netdissect_options *ndo,
static void
#ifdef INET6
aodv_v6_draft_01_rerr(netdissect_options *ndo,
- const struct aodv_rerr *ap, u_int length)
+ const struct aodv_rerr *ap, const u_char *dat, u_int length)
#else
aodv_v6_draft_01_rerr(netdissect_options *ndo,
- const struct aodv_rerr *ap _U_, u_int length)
+ const struct aodv_rerr *ap _U_, const u_char *dat, u_int length)
#endif
{
#ifdef INET6
- const struct rerr_unreach6_draft_01 *dp6 = NULL;
- int i, j, n, trunc;
+ u_int i, dc;
+ const struct rerr_unreach6_draft_01 *dp6;
- i = length - offsetof(struct aodv_rerr, r);
- j = sizeof(ap->r.dest6_draft_01[0]);
- dp6 = &ap->r.dest6_draft_01[0];
- n = ap->rerr_dc * j;
+ if (ndo->ndo_snapend < dat) {
+ ND_PRINT((ndo, " [|aodv]"));
+ return;
+ }
+ i = min(length, (u_int)(ndo->ndo_snapend - dat));
+ if (i < sizeof(*ap)) {
+ ND_PRINT((ndo, " [|rerr]"));
+ return;
+ }
+ i -= sizeof(*ap);
ND_PRINT((ndo, " rerr %s [items %u] [%u]:",
ap->rerr_flags & RERR_NODELETE ? "[D]" : "",
ap->rerr_dc, length));
- trunc = n - (i/j);
- for (; i -= j >= 0; ++dp6) {
+ dp6 = (struct rerr_unreach6_draft_01 *)(void *)(ap + 1);
+ for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);
+ ++dp6, --dc, i -= sizeof(*dp6)) {
ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
(unsigned long)EXTRACT_32BITS(&dp6->u_ds)));
}
- if (trunc)
+ if ((i % sizeof(*dp6)) != 0)
ND_PRINT((ndo, "[|rerr]"));
#else
ND_PRINT((ndo, " rerr %u", length));
@@ -571,7 +575,7 @@ aodv_print(netdissect_options *ndo,
case AODV_RERR:
if (is_ip6)
- aodv_v6_rerr(ndo, (const struct aodv_rerr *)dat, length);
+ aodv_v6_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);
else
aodv_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);
break;
@@ -589,7 +593,7 @@ aodv_print(netdissect_options *ndo,
break;
case AODV_V6_DRAFT_01_RERR:
- aodv_v6_draft_01_rerr(ndo, (const struct aodv_rerr *)dat, length);
+ aodv_v6_draft_01_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);
break;
case AODV_V6_DRAFT_01_RREP_ACK:
--
2.1.2