tcpdump
13 months agoJuniper: initialize some structures tcpdump-4.9
Francois-Xavier Le Bail [Fri, 18 Dec 2020 17:42:56 +0000 (18:42 +0100)] 
Juniper: initialize some structures

(backported from commit e1c739a83d2bb82f408a96f5b15cb2dad3dee919)

14 months agodns: add some additional error checks.
Guy Harris [Sun, 15 Nov 2020 04:34:25 +0000 (20:34 -0800)] 
dns: add some additional error checks.

If the upper 2 bits of a label/pointer value are 10, treat that as an
error.

If a name is longer than 255 characters, treat that as an error.

This prevents some long loops with malformed packets, as found by Hardik
Shah.

(backported from commit 92d636a906d450f9bd344ee312cfa9c88c3d2bd6)

21 months agoRSVP: add two missing breaks
Denis Ovsienko [Fri, 21 Jul 2017 22:11:18 +0000 (23:11 +0100)] 
RSVP: add two missing breaks

Add a break at the end of the RSVP_OBJ_LABEL_SET case block as it fully
deals with class number 36 (LABEL_SET) from RFC 3473 Section 2.6 and is
not related to the class in next case block.

Add a break at the end of the RSVP_OBJ_S2L case block as it fully deals
with class number 50 (S2L_SUB_LSP) from RFC 4875 Section 19.3 and does
not need to fall through to the default case block.

(backported from commit f92b6812d0e114960225f187a8788be137ce587b)

21 months agoPPP: When un-escaping, don't allocate a too-large buffer.
Guy Harris [Sat, 18 Apr 2020 21:04:59 +0000 (14:04 -0700)] 
PPP: When un-escaping, don't allocate a too-large buffer.

The buffer should be big enough to hold the captured data, but it
doesn't need to be big enough to hold the entire on-the-network packet,
if we haven't captured all of it.

(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)

22 months agoRemove libpcap-layer issues from tests/l2tp-avp-overflow.pcap.
Guy Harris [Sun, 23 Feb 2020 03:33:19 +0000 (19:33 -0800)] 
Remove libpcap-layer issues from tests/l2tp-avp-overflow.pcap.

22 months agoRemove libpcap-layer issues from tests/pktap-heap-overflow.pcap.
Guy Harris [Sun, 23 Feb 2020 03:24:03 +0000 (19:24 -0800)] 
Remove libpcap-layer issues from tests/pktap-heap-overflow.pcap.

2 years agoTravis CI: Revert to libpcap master branch (updated)
Francois-Xavier Le Bail [Thu, 3 Oct 2019 07:26:39 +0000 (09:26 +0200)] 
Travis CI: Revert to libpcap master branch (updated)

2 years agoTravis CI: The 4.9.3 release needs libpcap 1.9.1 for tests
Francois-Xavier Le Bail [Tue, 1 Oct 2019 08:32:28 +0000 (10:32 +0200)] 
Travis CI: The 4.9.3 release needs libpcap 1.9.1 for tests

2 years agoVERSION set for release tcpdump-4.9.3
Michael Richardson [Mon, 30 Sep 2019 15:12:19 +0000 (11:12 -0400)] 
VERSION set for release

2 years agobump version to rc2
Michael Richardson [Fri, 27 Sep 2019 15:53:23 +0000 (11:53 -0400)] 
bump version to rc2

2 years agoremove duplicate CVE item
Michael Richardson [Fri, 27 Sep 2019 15:53:10 +0000 (11:53 -0400)] 
remove duplicate CVE item

2 years agodo not redirect input from /dev/tty
Michael Richardson [Fri, 27 Sep 2019 15:52:35 +0000 (11:52 -0400)] 
do not redirect input from /dev/tty

2 years agoDon't depend on $(command) working.
Guy Harris [Fri, 27 Sep 2019 06:33:26 +0000 (23:33 -0700)] 
Don't depend on $(command) working.

Not all Bourne shells support it.

2 years agogenerate list of test files from git
Michael Richardson [Thu, 26 Sep 2019 12:48:12 +0000 (08:48 -0400)] 
generate list of test files from git

2 years agoupdated CHANGELOG and VERSION
Michael Richardson [Fri, 20 Sep 2019 16:36:44 +0000 (12:36 -0400)] 
updated CHANGELOG and VERSION

2 years agoconfig.h is always in build directory, not srcdir
Michael Richardson [Thu, 19 Sep 2019 18:02:32 +0000 (14:02 -0400)] 
config.h is always in build directory, not srcdir

2 years agoshow which directory is being built
Michael Richardson [Thu, 19 Sep 2019 18:46:11 +0000 (14:46 -0400)] 
show which directory is being built

2 years agocreate new eapon2 input file, without NBT packets
Michael Richardson [Thu, 19 Sep 2019 18:46:04 +0000 (14:46 -0400)] 
create new eapon2 input file, without NBT packets

2 years agomove nbns test case to SMB LIST
Michael Richardson [Thu, 19 Sep 2019 18:45:39 +0000 (14:45 -0400)] 
move nbns test case to SMB LIST

2 years agoupdate kh-addrfail with libpcap error code
Michael Richardson [Thu, 19 Sep 2019 18:45:06 +0000 (14:45 -0400)] 
update kh-addrfail with libpcap error code

2 years agodo not warn about extra lines in stderr if there is a stderr file that was compared
Michael Richardson [Wed, 18 Sep 2019 22:18:10 +0000 (18:18 -0400)] 
do not warn about extra lines in stderr if there is a stderr file that was compared

2 years agoturn off debug, and remove -003 file, as no pcap file was copied
Michael Richardson [Wed, 18 Sep 2019 21:09:45 +0000 (17:09 -0400)] 
turn off debug, and remove -003 file, as no pcap file was copied

2 years agorun tests with stdin connected to /dev/tty, and do not start tests in subdirectory...
Michael Richardson [Wed, 18 Sep 2019 20:23:02 +0000 (16:23 -0400)] 
run tests with stdin connected to /dev/tty, and do not start tests in subdirectory anymore

2 years agorejig debugging, set $TCPDUMP in one place
Michael Richardson [Wed, 18 Sep 2019 20:22:44 +0000 (16:22 -0400)] 
rejig debugging, set $TCPDUMP in one place

2 years agofound origin of esp test failures: the secrets file could not be read due to failure...
Michael Richardson [Wed, 18 Sep 2019 19:57:56 +0000 (15:57 -0400)] 
found origin of esp test failures: the secrets file could not be read due to failure to substitute variables correctly

2 years agoadded some debugging, found wrong failure-outputs file
Michael Richardson [Wed, 18 Sep 2019 19:57:22 +0000 (15:57 -0400)] 
added some debugging, found wrong failure-outputs file

2 years agofill in empty esp4 file
Michael Richardson [Wed, 18 Sep 2019 14:34:44 +0000 (10:34 -0400)] 
fill in empty esp4 file

2 years agoif SKIPPASSED is set, then only show failures, and change some symbols for replacements
Michael Richardson [Wed, 18 Sep 2019 14:34:25 +0000 (10:34 -0400)] 
if SKIPPASSED is set, then only show failures, and change some symbols for replacements

2 years agoturn off extra debug for script name/srcdir
Michael Richardson [Tue, 17 Sep 2019 20:51:49 +0000 (16:51 -0400)] 
turn off extra debug for script name/srcdir

2 years agoalways put a newline before exit code info
Michael Richardson [Tue, 17 Sep 2019 20:51:26 +0000 (16:51 -0400)] 
always put a newline before exit code info

2 years agoupdated configure to turn off smb by default
Michael Richardson [Tue, 17 Sep 2019 20:20:17 +0000 (16:20 -0400)] 
updated configure to turn off smb by default

2 years agoturn off SMB for now
Michael Richardson [Tue, 17 Sep 2019 20:14:10 +0000 (16:14 -0400)] 
turn off SMB for now

2 years agochange make check to work with POSIX shell
Michael Richardson [Tue, 17 Sep 2019 20:04:43 +0000 (16:04 -0400)] 
change make check to work with POSIX shell

2 years agosplit off SMB test list to be selective
Michael Richardson [Tue, 17 Sep 2019 20:27:39 +0000 (16:27 -0400)] 
split off SMB test list to be selective

2 years agofix output directories for TESTonce
Michael Richardson [Tue, 17 Sep 2019 20:27:07 +0000 (16:27 -0400)] 
fix output directories for TESTonce

2 years agochange make check to work with POSIX shell
Michael Richardson [Tue, 17 Sep 2019 20:04:43 +0000 (16:04 -0400)] 
change make check to work with POSIX shell

2 years agolook for cores and put them into the correct directory
Michael Richardson [Tue, 17 Sep 2019 20:02:28 +0000 (16:02 -0400)] 
look for cores and put them into the correct directory

2 years agoput correct -vvv into smb print tests
Michael Richardson [Tue, 17 Sep 2019 20:02:06 +0000 (16:02 -0400)] 
put correct -vvv into smb print tests

2 years agoadjustment to output file, and added relevant stderr file
Michael Richardson [Wed, 18 Sep 2019 21:50:04 +0000 (17:50 -0400)] 
adjustment to output file, and added relevant stderr file

2 years agoupdates to scripts for running in testdir vs builddir
Michael Richardson [Sat, 14 Sep 2019 18:51:36 +0000 (14:51 -0400)] 
updates to scripts for running in testdir vs builddir

2 years agoupdated test results for error results
Michael Richardson [Sat, 14 Sep 2019 18:45:34 +0000 (14:45 -0400)] 
updated test results for error results

2 years agopull in TESTrun from mainline
Michael Richardson [Thu, 12 Sep 2019 15:07:08 +0000 (11:07 -0400)] 
pull in TESTrun from mainline

2 years agosave stderr to file in case it is useful
Michael Richardson [Sun, 18 Aug 2019 20:52:56 +0000 (16:52 -0400)] 
save stderr to file in case it is useful
do better recording of when stderr has content in it
the failed/passed count was not kept in the right place
and the failure-outputs need to be dumped from the right place
record status code better to file, and if it exists, compare the stderr as well
sanitizing the first line for filename path

2 years agoshow core dump status clearly
Michael Richardson [Sun, 18 Aug 2019 18:13:06 +0000 (14:13 -0400)] 
show core dump status clearly

2 years agokeep track of beginning of buffer, and do not permit buf to be set to before it
Michael Richardson [Thu, 12 Sep 2019 14:27:32 +0000 (10:27 -0400)] 
keep track of beginning of buffer, and do not permit buf to be set to before it

2 years agoguard against possible error in fmt string
Michael Richardson [Thu, 12 Sep 2019 14:27:13 +0000 (10:27 -0400)] 
guard against possible error in fmt string

2 years agouse clang-7
Michael Richardson [Thu, 12 Sep 2019 14:26:17 +0000 (10:26 -0400)] 
use clang-7

2 years agofix TEST checker to work without srcdir
Michael Richardson [Tue, 10 Sep 2019 19:14:09 +0000 (20:14 +0100)] 
fix TEST checker to work without srcdir

2 years agofixup! bbe8e1171b4a2550d8a9d502bc8b6e15f6dc9445
Michael Richardson [Tue, 10 Sep 2019 19:13:00 +0000 (20:13 +0100)] 
fixup! bbe8e1171b4a2550d8a9d502bc8b6e15f6dc9445

2 years agodo not cd into tests directory, since test runner will be run from build directory
Michael Richardson [Tue, 10 Sep 2019 12:47:30 +0000 (13:47 +0100)] 
do not cd into tests directory, since test runner will be run from build directory

2 years agoclarify file name as pcapng
Michael Richardson [Tue, 10 Sep 2019 12:42:57 +0000 (13:42 +0100)] 
clarify file name as pcapng

2 years agoadded test cases for smb issues
Michael Richardson [Mon, 9 Sep 2019 23:13:23 +0000 (19:13 -0400)] 
added test cases for smb issues

2 years agoadded additional kh test cases
Michael Richardson [Mon, 9 Sep 2019 22:35:43 +0000 (18:35 -0400)] 
added additional kh test cases

2 years agoturn on Werror on compile, but not for ./configure
Michael Richardson [Mon, 9 Sep 2019 22:35:27 +0000 (18:35 -0400)] 
turn on Werror on compile, but not for ./configure

2 years agosflowprint is truncated correctly after printing IPv4 header
Michael Richardson [Sun, 18 Aug 2019 22:27:40 +0000 (18:27 -0400)] 
sflowprint is truncated correctly after printing IPv4 header

2 years agoadded 11 additional fuzzing cases from Katie Holly, confirmed to be fixed in 4.9...
Michael Richardson [Sun, 18 Aug 2019 17:24:07 +0000 (13:24 -0400)] 
added 11 additional fuzzing cases from Katie Holly, confirmed to be fixed in 4.9 branch

2 years agoadded Katie Holly 1b4 pcap, does not core dump
Michael Richardson [Fri, 16 Aug 2019 23:12:11 +0000 (19:12 -0400)] 
added Katie Holly 1b4 pcap, does not core dump

2 years agoadded Katie Holly 062 pcap, does not core dump
Michael Richardson [Fri, 16 Aug 2019 23:01:47 +0000 (19:01 -0400)] 
added Katie Holly 062 pcap, does not core dump

2 years agobuild on a combination of compilers and build options
Michael Richardson [Fri, 16 Aug 2019 20:38:58 +0000 (16:38 -0400)] 
build on a combination of compilers and build options

2 years agoguard against tlen becoming very large from subtraction
Michael Richardson [Fri, 16 Aug 2019 20:13:25 +0000 (16:13 -0400)] 
guard against tlen becoming very large from subtraction

2 years agomake check needs to work in build directories
Michael Richardson [Fri, 16 Aug 2019 19:30:31 +0000 (15:30 -0400)] 
make check needs to work in build directories

2 years agoadded sflowprint
Michael Richardson [Fri, 16 Aug 2019 19:31:09 +0000 (15:31 -0400)] 
added sflowprint

2 years agoif there is a core dump, then save it
Michael Richardson [Fri, 31 May 2019 17:20:54 +0000 (13:20 -0400)] 
if there is a core dump, then save it

2 years agotested this CVE with 32-bit on 4.9.3, and it seems to be fixed
Michael Richardson [Fri, 31 May 2019 17:20:45 +0000 (13:20 -0400)] 
tested this CVE with 32-bit on 4.9.3, and it seems to be fixed

2 years agoFix a compiler warning.
Guy Harris [Mon, 21 Jan 2019 20:02:06 +0000 (12:02 -0800)] 
Fix a compiler warning.

We need to ensure that buf2 is set even if we have too many nested "*"s
in an SMB format string.

Add comments to further explain that code.

2 years ago(for 4.9.3) CVE-2018-16452/SMB: prevent stack exhaustion
Denis Ovsienko [Fri, 7 Sep 2018 20:10:36 +0000 (21:10 +0100)] 
(for 4.9.3) CVE-2018-16452/SMB: prevent stack exhaustion

Enforce a limit on how many times smb_fdata() can recurse.

This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

2 years ago(for 4.9.3) CVE-2018-16300/BGP: prevent stack exhaustion
Denis Ovsienko [Thu, 6 Sep 2018 20:26:21 +0000 (21:26 +0100)] 
(for 4.9.3) CVE-2018-16300/BGP: prevent stack exhaustion

Enforce a limit on how many times bgp_attr_print() can recurse.

This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

2 years ago(for 4.9.3) add tests for print-smb.c:print_trans()
Denis Ovsienko [Sat, 1 Sep 2018 22:44:34 +0000 (23:44 +0100)] 
(for 4.9.3) add tests for print-smb.c:print_trans()

(This needs to be squashed into the bug fix properly.)

2 years ago(for 4.9.3) OpenFlow: Fix the uses of the pointer to the end of current packet
Francois-Xavier Le Bail [Thu, 1 Mar 2018 08:26:23 +0000 (09:26 +0100)] 
(for 4.9.3) OpenFlow: Fix the uses of the pointer to the end of current packet

Must be based on packet header caplen.

(This change was ported from commit ad69daa in the master branch.)

Add a test case.

2 years ago(for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and "Timestamp Echo" options
Francois-Xavier Le Bail [Mon, 21 May 2018 07:25:15 +0000 (09:25 +0200)] 
(for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and "Timestamp Echo" options

Add some comments.

Moreover:
Put a function definition name at the beginning of the line.

(This change was ported from commit 6df4852 in the master branch.)

Ryan Ackroyd had independently identified this buffer over-read later by
means of fuzzing and provided the packet capture file for the test.

2 years ago(for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds check
Denis Ovsienko [Tue, 28 Aug 2018 23:38:40 +0000 (00:38 +0100)] 
(for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds check

ieee802_11_print() tried to access the Mesh Flags subfield of the Mesh
Control field to find the size of the latter and increment the expected
802.11 header length before checking it is fully present in the input
buffer. Add an intermediate bounds check to make it safe.

This fixes a buffer over-read discovered by Ryan Ackroyd.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer
Denis Ovsienko [Thu, 23 Aug 2018 22:32:07 +0000 (23:32 +0100)] 
(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer

print_prefix() has a buffer and does not initialize it. It may call
decode_prefix6(), which also does not initialize the buffer on invalid
input. When that happens, make sure to return from print_prefix() before
trying to print the [still uninitialized] buffer.

This fixes a buffer over-read discovered by Wang Junjie of 360 ESG
Codesafe Team.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI
Denis Ovsienko [Thu, 23 Aug 2018 21:09:16 +0000 (22:09 +0100)] 
(for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI

When bgp_attr_print() tried to decode the variable-length nexthop value
for the NSAP VPN case, it did not check that the declared length is good
to interpret the value as a mapped IPv4 or IPv6 address. Add missing
checks to make this safe.

This fixes a buffer over-read discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

Bhargava Shastry, SecT/TU Berlin, had independently identified this
vulnerability by means of fuzzing and provided the packet capture file
for the test.

2 years ago(for 4.9.3) libdnet has bugs, do not use it.
Denis Ovsienko [Mon, 23 Jul 2018 22:28:24 +0000 (23:28 +0100)] 
(for 4.9.3) libdnet has bugs, do not use it.

The only function tcpdump used in libdnet was dnet_htoa(), which tries
to translate a binary DECnet address to a nodename through a lookup in
/etc/decnet.conf. The translation is slow and has a bug, so stop using
the function and remove the dependency on libdnet.

This makes tcpdump always print DECnet addresses in numeric format, if
anybody needs the translation back they are welcome to fix libdnet or
(more realistically) add an implementation of dnet_htoa() to the tcpdump
source code and use it.

2 years ago(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely
Denis Ovsienko [Sun, 17 Jun 2018 21:15:19 +0000 (22:15 +0100)] 
(for 4.9.3) CVE-2018-14879/fix -V to fail invalid input safely

get_next_file() did not check the return value of strlen() and
underflowed an array index if the line read by fgets() from the file
started with \0. This caused an out-of-bounds read and could cause a
write. Add the missing check.

This vulnerability was discovered by Brian Carpenter & Geeknik Labs.

2 years ago(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check
Francois-Xavier Le Bail [Fri, 3 Nov 2017 15:32:30 +0000 (16:32 +0100)] 
(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check

Moreover:
Add and use *_tstr[] strings.
Update four tests outputs accordingly.
Fix a space.

Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.

2 years ago(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check
Francois-Xavier Le Bail [Sat, 4 Nov 2017 15:06:33 +0000 (16:06 +0100)] 
(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check

Need to test bounds check for the last field of the structure lsa6_hdr.
No need to test other fields.

Include Security working under the Mozilla SOS program had independently
identified this vulnerability in 2018 by means of code audit.

Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.

2 years ago(for 4.9.3) EIGRP: Add two missing bounds checks
Francois-Xavier Le Bail [Fri, 3 Nov 2017 22:17:53 +0000 (23:17 +0100)] 
(for 4.9.3) EIGRP: Add two missing bounds checks

2 years ago(for 4.9.3) SMB: Add two missing bounds checks
Francois-Xavier Le Bail [Fri, 3 Nov 2017 17:21:27 +0000 (18:21 +0100)] 
(for 4.9.3) SMB: Add two missing bounds checks

2 years ago(for 4.9.3) BOOTP: Add a missing bounds check
Francois-Xavier Le Bail [Fri, 3 Nov 2017 14:36:35 +0000 (15:36 +0100)] 
(for 4.9.3) BOOTP: Add a missing bounds check

2 years ago(for 4.9.3) ICMP: fix a compiler warning
Denis Ovsienko [Tue, 17 Oct 2017 22:24:36 +0000 (23:24 +0100)] 
(for 4.9.3) ICMP: fix a compiler warning

"ISO C90 forbids mixed declarations and code"

2 years ago(for 4.9.3) LMP: Add some missing bounds checks
Francois-Xavier Le Bail [Tue, 17 Oct 2017 20:40:13 +0000 (22:40 +0200)] 
(for 4.9.3) LMP: Add some missing bounds checks

In lmp_print_data_link_subobjs(), these problems were identified
through code review.

Moreover:
Add and use tstr[].
Update two tests outputs accordingly.

2 years ago(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check
Francois-Xavier Le Bail [Tue, 17 Oct 2017 19:56:46 +0000 (21:56 +0200)] 
(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check

In lmp_print_data_link_subobjs().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) VRRP: Add a missing bounds check
Francois-Xavier Le Bail [Tue, 17 Oct 2017 13:34:42 +0000 (15:34 +0200)] 
(for 4.9.3) VRRP: Add a missing bounds check

In vrrp_print().

This fixes a buffer over-read discovered by Konrad Rieck and
Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s)
restricted to VRRP packets.

2 years ago(for 4.9.3) BGP: Add a missing bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 11:47:01 +0000 (13:47 +0200)] 
(for 4.9.3) BGP: Add a missing bounds check

In bgp_capabilities_print(), this problem was identified through code review.

Moreover:
Add and use tstr[].
Fix some spaces.

2 years ago(for 4.9.3) CVE-2018-14467/BGP: Fix BGP_CAPCODE_MP.
Francois-Xavier Le Bail [Sun, 8 Oct 2017 11:38:50 +0000 (13:38 +0200)] 
(for 4.9.3) CVE-2018-14467/BGP: Fix BGP_CAPCODE_MP.

Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.
Francois-Xavier Le Bail [Sun, 8 Oct 2017 11:38:50 +0000 (13:38 +0200)] 
(for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.

Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14463/VRRP: Add a missing bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 11:28:05 +0000 (13:28 +0200)] 
(for 4.9.3) CVE-2018-14463/VRRP: Add a missing bounds check

In vrrp_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14465/RSVP: Add a missing bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 11:19:12 +0000 (13:19 +0200)] 
(for 4.9.3) CVE-2018-14465/RSVP: Add a missing bounds check

In rsvp_obj_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14462/ICMP: Add a missing bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 10:06:56 +0000 (12:06 +0200)] 
(for 4.9.3) CVE-2018-14462/ICMP: Add a missing bounds check

In icmp_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add two tests using the capture files supplied by the reporter(s).

2 years ago(for 4.9.3) LDP: Add some missing bounds checks
Francois-Xavier Le Bail [Sun, 8 Oct 2017 09:57:19 +0000 (11:57 +0200)] 
(for 4.9.3) LDP: Add some missing bounds checks

In ldp_tlv_print(), these problems were identified through code review.

2 years ago(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 09:49:24 +0000 (11:49 +0200)] 
(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check

In ldp_tlv_print(), the FT Session TLV length must be 12, not 8 (RFC3479)

This fixes a buffer over-read discovered by Konrad Rieck and
Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

Moreover:
Add and use tstr[].
Add a comment.

2 years ago(for 4.9.3) CVE-2018-14469/ISAKMP: Add a missing bounds check
Francois-Xavier Le Bail [Sun, 8 Oct 2017 09:36:55 +0000 (11:36 +0200)] 
(for 4.9.3) CVE-2018-14469/ISAKMP: Add a missing bounds check

In ikev1_n_print() check bounds before trying to fetch the replay detection
status.

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug
Denis Ovsienko [Tue, 19 Sep 2017 12:33:55 +0000 (13:33 +0100)] 
(for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug

In rx_cache_insert() and rx_cache_find() properly read the serviceId
field of the rx_header structure as a 16-bit integer. When those
functions tried to read 32 bits the extra 16 bits could be outside of
the bounds checked in rx_print() for the rx_header structure, as
serviceId is the last field in that structure.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) FRF.16: Add a missing length check.
Denis Ovsienko [Fri, 15 Sep 2017 15:32:17 +0000 (16:32 +0100)] 
(for 4.9.3) FRF.16: Add a missing length check.

At the beginning of mfr_print() check the declared length too, not just
the size of the input buffer. This should make further length-based
decoding more correct.

Found by code inspection hence there is no test case at this time.

2 years ago(for 4.9.3) Babel: Add a missing length check.
Denis Ovsienko [Tue, 12 Sep 2017 10:30:50 +0000 (11:30 +0100)] 
(for 4.9.3) Babel: Add a missing length check.

In babel_print_v2() check that the Babel packet body length does not
exceed the outer UDP packet payload. This helps to detect some invalid
packets earlier but does not fix a known vulnerability.

2 years ago(for 4.9.3) CVE-2018-14470/Babel: fix an existing length check
Denis Ovsienko [Tue, 12 Sep 2017 09:59:16 +0000 (10:59 +0100)] 
(for 4.9.3) CVE-2018-14470/Babel: fix an existing length check

In babel_print_v2() the non-verbose branch for an Update TLV compared
the TLV Length against 1 instead of 10 (probably a typo), put it right.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.
Denis Ovsienko [Fri, 1 Sep 2017 16:55:39 +0000 (17:55 +0100)] 
(for 4.9.3) CVE-2018-14468/FRF.16: Add a missing length check.

The specification says in a well-formed Magic Number information element
the data is exactly 4 bytes long. In mfr_print() check this before trying
to read those 4 bytes.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

2 years ago(for 4.9.3) AoE: Add another bounds check.
Denis Ovsienko [Thu, 31 Aug 2017 20:23:07 +0000 (21:23 +0100)] 
(for 4.9.3) AoE: Add another bounds check.

In aoev1_print() check bounds before fetching the Flags octet to prevent
a buffer over-read.

Found by code inspection hence there is no test case at this time.

2 years agoAoE: Add a test for the previous fix
Denis Ovsienko [Thu, 31 Aug 2017 20:15:37 +0000 (21:15 +0100)] 
AoE: Add a test for the previous fix

Add a test using the capture file supplied by Bhargava Shastry
SecT/TU Berlin.