Upgrade to tcpdump 4.9.2. From CHANGES: Sunday September 3, 2017 denis@ovsienko.info Summary for 4.9.2 tcpdump release Do not use getprotobynumber() for protocol name resolution. Do not do any protocol name resolution if -n is specified. Improve errors detection in the test scripts. Fix a segfault with OpenSSL 1.1 and improve OpenSSL usage. Clean up IS-IS printing. Fix buffer overflow vulnerabilities: CVE-2017-11543 (SLIP) CVE-2017-13011 (bittok2str_internal) Fix infinite loop vulnerabilities: CVE-2017-12989 (RESP) CVE-2017-12990 (ISAKMP) CVE-2017-12995 (DNS) CVE-2017-12997 (LLDP) Fix buffer over-read vulnerabilities: CVE-2017-11541 (safeputs) CVE-2017-11542 (PIMv1) CVE-2017-12893 (SMB/CIFS) CVE-2017-12894 (lookup_bytestring) CVE-2017-12895 (ICMP) CVE-2017-12896 (ISAKMP) CVE-2017-12897 (ISO CLNS) CVE-2017-12898 (NFS) CVE-2017-12899 (DECnet) CVE-2017-12900 (tok2strbuf) CVE-2017-12901 (EIGRP) CVE-2017-12902 (Zephyr) CVE-2017-12985 (IPv6) CVE-2017-12986 (IPv6 routing headers) CVE-2017-12987 (IEEE 802.11) CVE-2017-12988 (telnet) CVE-2017-12991 (BGP) CVE-2017-12992 (RIPng) CVE-2017-12993 (Juniper) CVE-2017-11542 (PIMv1) CVE-2017-11541 (safeputs) CVE-2017-12994 (BGP) CVE-2017-12996 (PIMv2) CVE-2017-12998 (ISO IS-IS) CVE-2017-12999 (ISO IS-IS) CVE-2017-13000 (IEEE 802.15.4) CVE-2017-13001 (NFS) CVE-2017-13002 (AODV) CVE-2017-13003 (LMP) CVE-2017-13004 (Juniper) CVE-2017-13005 (NFS) CVE-2017-13006 (L2TP) CVE-2017-13007 (Apple PKTAP) CVE-2017-13008 (IEEE 802.11) CVE-2017-13009 (IPv6 mobility) CVE-2017-13010 (BEEP) CVE-2017-13012 (ICMP) CVE-2017-13013 (ARP) CVE-2017-13014 (White Board) CVE-2017-13015 (EAP) CVE-2017-11543 (SLIP) CVE-2017-13016 (ISO ES-IS) CVE-2017-13017 (DHCPv6) CVE-2017-13018 (PGM) CVE-2017-13019 (PGM) CVE-2017-13020 (VTP) CVE-2017-13021 (ICMPv6) CVE-2017-13022 (IP) CVE-2017-13023 (IPv6 mobility) CVE-2017-13024 (IPv6 mobility) CVE-2017-13025 (IPv6 mobility) CVE-2017-13026 (ISO IS-IS) CVE-2017-13027 (LLDP) CVE-2017-13028 (BOOTP) CVE-2017-13029 (PPP) CVE-2017-13030 (PIM) CVE-2017-13031 (IPv6 fragmentation header) CVE-2017-13032 (RADIUS) CVE-2017-13033 (VTP) CVE-2017-13034 (PGM) CVE-2017-13035 (ISO IS-IS) CVE-2017-13036 (OSPFv3) CVE-2017-13037 (IP) CVE-2017-13038 (PPP) CVE-2017-13039 (ISAKMP) CVE-2017-13040 (MPTCP) CVE-2017-13041 (ICMPv6) CVE-2017-13042 (HNCP) CVE-2017-13043 (BGP) CVE-2017-13044 (HNCP) CVE-2017-13045 (VQP) CVE-2017-13046 (BGP) CVE-2017-13047 (ISO ES-IS) CVE-2017-13048 (RSVP) CVE-2017-13049 (Rx) CVE-2017-13050 (RPKI-Router) CVE-2017-13051 (RSVP) CVE-2017-13052 (CFM) CVE-2017-13053 (BGP) CVE-2017-13054 (LLDP) CVE-2017-13055 (ISO IS-IS) CVE-2017-13687 (Cisco HDLC) CVE-2017-13688 (OLSR) CVE-2017-13689 (IKEv1) CVE-2017-13690 (IKEv2) CVE-2017-13725 (IPv6 routing headers) Bug: N/A Test: ran manually Change-Id: I6fbfa46046ee89d40d13024777e27623a23cb258

commit: cec480af7b6e0879bd9b3ca961fa5dfba2d77fa3 [log] [tgz]
author: Elliott Hughes <enh@google.com> Tue Dec 19 16:54:57 2017 -0800
committer: Elliott Hughes <enh@google.com> Tue Dec 19 16:54:57 2017 -0800
tree: 62ee098653f7185f462570cfd54fd37db665606c
parent: 4901a3d370ce3efb7a5b05afc912184ae35e19ae [diff] [blame]
diff --git a/print-mptcp.c b/print-mptcp.c
index e757ea4..392791e 100644
--- a/print-mptcp.c
+++ b/print-mptcp.c

@@ -178,7 +178,7 @@
 {
         const struct mp_capable *mpc = (const struct mp_capable *) opt;
 
-        if (!(opt_len == 12 && flags & TH_SYN) &&
+        if (!(opt_len == 12 && (flags & TH_SYN)) &&
             !(opt_len == 20 && (flags & (TH_SYN | TH_ACK)) == TH_ACK))
                 return 0;
 
@@ -202,9 +202,9 @@
 {
         const struct mp_join *mpj = (const struct mp_join *) opt;
 
-        if (!(opt_len == 12 && flags & TH_SYN) &&
+        if (!(opt_len == 12 && (flags & TH_SYN)) &&
             !(opt_len == 16 && (flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)) &&
-            !(opt_len == 24 && flags & TH_ACK))
+            !(opt_len == 24 && (flags & TH_ACK)))
                 return 0;
 
         if (opt_len != 24) {
@@ -236,76 +236,92 @@
         return 1;
 }
 
-static u_int mp_dss_len(const  struct mp_dss *m, int csum)
-{
-        u_int len;
-
-        len = 4;
-        if (m->flags & MP_DSS_A) {
-                /* Ack present - 4 or 8 octets */
-                len += (m->flags & MP_DSS_a) ? 8 : 4;
-        }
-        if (m->flags & MP_DSS_M) {
-                /*
-                 * Data Sequence Number (DSN), Subflow Sequence Number (SSN),
-                 * Data-Level Length present, and Checksum possibly present.
-                 * All but the Checksum are 10 bytes if the m flag is
-                 * clear (4-byte DSN) and 14 bytes if the m flag is set
-                 * (8-byte DSN).
-                 */
-                len += (m->flags & MP_DSS_m) ? 14 : 10;
-
-                /*
-                 * The Checksum is present only if negotiated.
-                 */
-                if (csum)
-                        len += 2;
-	}
-	return len;
-}
-
 static int
 mp_dss_print(netdissect_options *ndo,
              const u_char *opt, u_int opt_len, u_char flags)
 {
         const struct mp_dss *mdss = (const struct mp_dss *) opt;
 
-        if ((opt_len != mp_dss_len(mdss, 1) &&
-             opt_len != mp_dss_len(mdss, 0)) || flags & TH_SYN)
+        /* We need the flags, at a minimum. */
+        if (opt_len < 4)
+                return 0;
+
+        if (flags & TH_SYN)
                 return 0;
 
         if (mdss->flags & MP_DSS_F)
                 ND_PRINT((ndo, " fin"));
 
         opt += 4;
+        opt_len -= 4;
         if (mdss->flags & MP_DSS_A) {
+                /* Ack present */
                 ND_PRINT((ndo, " ack "));
+                /*
+                 * If the a flag is set, we have an 8-byte ack; if it's
+                 * clear, we have a 4-byte ack.
+                 */
                 if (mdss->flags & MP_DSS_a) {
+                        if (opt_len < 8)
+                                return 0;
                         ND_PRINT((ndo, "%" PRIu64, EXTRACT_64BITS(opt)));
                         opt += 8;
+                        opt_len -= 8;
                 } else {
+                        if (opt_len < 4)
+                                return 0;
                         ND_PRINT((ndo, "%u", EXTRACT_32BITS(opt)));
                         opt += 4;
+                        opt_len -= 4;
                 }
         }
 
         if (mdss->flags & MP_DSS_M) {
+                /*
+                 * Data Sequence Number (DSN), Subflow Sequence Number (SSN),
+                 * Data-Level Length present, and Checksum possibly present.
+                 */
                 ND_PRINT((ndo, " seq "));
+		/*
+                 * If the m flag is set, we have an 8-byte NDS; if it's clear,
+                 * we have a 4-byte DSN.
+                 */
                 if (mdss->flags & MP_DSS_m) {
+                        if (opt_len < 8)
+                                return 0;
                         ND_PRINT((ndo, "%" PRIu64, EXTRACT_64BITS(opt)));
                         opt += 8;
+                        opt_len -= 8;
                 } else {
+                        if (opt_len < 4)
+                                return 0;
                         ND_PRINT((ndo, "%u", EXTRACT_32BITS(opt)));
                         opt += 4;
+                        opt_len -= 4;
                 }
+                if (opt_len < 4)
+                        return 0;
                 ND_PRINT((ndo, " subseq %u", EXTRACT_32BITS(opt)));
                 opt += 4;
+                opt_len -= 4;
+                if (opt_len < 2)
+                        return 0;
                 ND_PRINT((ndo, " len %u", EXTRACT_16BITS(opt)));
                 opt += 2;
+                opt_len -= 2;
 
-                if (opt_len == mp_dss_len(mdss, 1))
+                /*
+                 * The Checksum is present only if negotiated.
+                 * If there are at least 2 bytes left, process the next 2
+                 * bytes as the Checksum.
+                 */
+                if (opt_len >= 2) {
                         ND_PRINT((ndo, " csum 0x%x", EXTRACT_16BITS(opt)));
+                        opt_len -= 2;
+                }
         }
+        if (opt_len != 0)
+                return 0;
         return 1;
 }
commit	cec480af7b6e0879bd9b3ca961fa5dfba2d77fa3	[log] [tgz]
author	Elliott Hughes <enh@google.com>	Tue Dec 19 16:54:57 2017 -0800
committer	Elliott Hughes <enh@google.com>	Tue Dec 19 16:54:57 2017 -0800
tree	62ee098653f7185f462570cfd54fd37db665606c
parent	4901a3d370ce3efb7a5b05afc912184ae35e19ae [diff] [blame]