Upgrade to tcpdump 4.9.0.
From CHANGES:
Wednesday January 18, 2017 devel.fx.lebail@orange.fr
Summary for 4.9.0 tcpdump release
General updates:
Improve separation frontend/backend (tcpdump/libnetdissect)
Don't require IPv6 library support in order to support IPv6 addresses
Introduce data types to use for integral values in packet structures
Fix display of timestamps with -tt, -ttt and -ttttt options
Fix some heap overflows found with American Fuzzy Lop by Hanno Boeck and others
(More information in the log with CVE-2016-* and CVE-2017-*)
Change the way protocols print link-layer addresses (Fix heap overflows
in CALM-FAST and GeoNetworking printers)
Pass correct caplen value to ether_print() and some other functions
Fix lookup_nsap() to match what isonsap_string() expects
Clean up relative time stamp printing (Fix an array overflow)
Fix some alignment issues with GCC on Solaris 10 SPARC
Add some ND_TTEST_/ND_TCHECK_ macros to simplify writing bounds checks
Add a fn_printztn() which returns the number of bytes processed
Add nd_init() and nd_cleanup() functions. Improve libsmi support
Add CONTRIBUTING file
Add a summary comment in all printers
Compile with more warning options in devel mode if supported (-Wcast-qual, ...)
Fix some leaks found by Valgrind/Memcheck
Fix a bunch of de-constifications
Squelch some Coverity warnings and some compiler warnings
Update Coverity and Travis-CI setup
Update Visual Studio files
Frontend:
Fix capsicum support to work with zerocopy buffers in bpf
Try opening interfaces by name first, then by name-as-index
Work around pcap_create() failures fetching time stamp type lists
Fix a segmentation fault with 'tcpdump -J'
Improve addrtostr6() bounds checking
Add exit_tcpdump() function
Don't drop CAP_SYS_CHROOT before chrooting
Fixes issue where statistics not reported when -G and -W options used
New printers supporting:
Generic Protocol Extension for VXLAN (VXLAN-GPE)
Home Networking Control Protocol (HNCP), RFCs 7787 and 7788
Locator/Identifier Separation Protocol (LISP), type 3 and type 4 packets
Marvell Extended Distributed Switch Architecture header (MEDSA)
Network Service Header (NSH)
REdis Serialization Protocol (RESP)
Updated printers:
802.11: Beginnings of 11ac radiotap support
802.11: Check the Protected bit for management frames
802.11: Do bounds checking on last_presentp before dereferencing it (Fix a heap overflow)
802.11: Fix the radiotap printer to handle the special bits correctly
802.11: If we have the MCS field, it's 11n
802.11: Only print unknown frame type or subtype messages once
802.11: Radiotap dBm values get printed as dB; Update a test output accordingly
802.11: Source and destination addresses were backwards
AH: Add a bounds check
AH: Report to our caller that dissection failed if a bounds check fails
AP1394: Print src > dst, not dst > src
ARP: Don't assume the target hardware address is <= 6 octets long (Fix a heap overflow)
ATALK: Add bounds and length checks (Fix heap overflows)
ATM: Add some bounds checks (Fix a heap overflow)
ATM: Fix an incorrect bounds check
BFD: Update specification from draft to RFC 5880
BFD: Update to print optional authentication field
BGP: Add decoding of ADD-PATH capability
BGP: Add support for the AIGP attribute (RFC7311)
BGP: Print LARGE_COMMUNITY Path Attribute
BGP: Update BGP numbers from IANA; Print minor values for FSM notification
BOOTP: Add a bounds check
Babel: Add decoder for source-specific extension
CDP: Filter out non-printable characters
CFM: Fixes to match the IEEE standard, additional bounds and length checks
CSLIP: Add more bounds checks (Fix a heap overflow)
ClassicalIPoATM: Add a bounds check on LLC+SNAP header (Fix a heap overflow)
DHCP: Fix MUDURL and TZ options
DHCPv6: Process MUDURL and TZ options
DHCPv6: Update Status Codes with RFCs/IANA names
DNS: Represent the "DNSSEC OK" bit as "DO" instead of "OK". Add a test case
DTP: Improve packet integrity checks
EGP: Fix bounds checks
ESP: Don't use OpenSSL_add_all_algorithms() in OpenSSL 1.1.0 or later
ESP: Handle OpenSSL 1.1.x
Ethernet: Add some bounds checking before calling isoclns_print (Fix a heap overflow)
Ethernet: Print the Length/Type field as length when needed
FDDI: Fix -e output for FDDI
FR: Add some packet-length checks and improve Q.933 printing (Fix heap overflows)
GRE: Add some bounds checks (Fix heap overflows)
Geneve: Fix error message with invalid option length; Update list option classes
HNCP: Fix incorrect time interval format. Fix handling of IPv4 prefixes
ICMP6: Fetch a 32-bit big-endian quantity with EXTRACT_32BITS()
ICMP6: dagid is always an IPv6 address, not an opaque 128-bit string
IGMP: Add a length check
IP: Add a bounds check (Fix a heap overflow)
IP: Check before fetching the protocol version (Fix a heap overflow)
IP: Don't try to dissect if IP version != 4 (Fix a heap overflow)
IP: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
IPComp: Check whether we have the CPI before we fetch it (Fix a heap overflow)
IPoFC: Fix -e output (IP-over-Fibre Channel)
IPv6: Don't overwrite the destination IPv6 address for routing headers
IPv6: Fix header printing
IPv6: Stop processing IPPROTO_ values once we hit IPPROTO_IPCOMP
ISAKMP: Clean up parsing of IKEv2 Security Associations
ISOCLNS/IS-IS: Add support for Purge Originator Identifier (RFC6232) and test cases
ISOCLNS/IS-IS: Don't overwrite packet data when checking the signature
ISOCLNS/IS-IS: Filter out non-printable characters
ISOCLNS/IS-IS: Fix segmentation faults
ISOCLNS/IS-IS: Have signature_verify() do the copying and clearing
ISOCLNS: Add some bounds checks
Juniper: Make sure a Juniper header TLV isn't bigger than what's left in the packet (Fix a heap overflow)
LLC/SNAP: With -e, print the LLC header before the SNAP header; without it, cut the SNAP header
LLC: Add a bounds check (Fix a heap overflow)
LLC: Clean up printing of LLC packets
LLC: Fix the printing of RFC 948-style IP packets
LLC: Skip the LLC and SNAP headers with -x for 802.11 and some other protocols
LLDP: Implement IANA OUI and LLDP MUD option
MPLS LSP ping: Update printing for RFC 4379, bug fixes, more bounds checks
MPLS: "length" is now the *remaining* packet length
MPLS: Add bounds and length checks (Fix a heap overflow)
NFS: Add a test that makes unaligned accesses
NFS: Don't assume the ONC RPC header is nicely aligned
NFS: Don't overflow the Opaque_Handle buffer (Fix a segmentation fault)
NFS: Don't run past the end of an NFSv3 file handle
OLSR: Add a test to cover a HNA sgw case
OLSR: Fix 'Advertised networks' count
OLSR: Fix printing of smart-gateway HNAs in IPv4
OSPF: Add a bounds check for the Hello packet options
OSPF: Do more bounds checking
OSPF: Fix a segmentation fault
OSPF: Fix printing 'ospf_topology_values' default
OTV: Add missing bounds checks
PGM: Print the formatted IP address, not the raw binary address, as a string
PIM: Add some bounds checking (Fix a heap overflow)
PIMv2: Fix checksumming of Register messages
PPI: Pass an adjusted struct pcap_pkthdr to the sub-printer
PPP: Add some bounds checks (Fix a heap overflow)
PPP: Report invalid PAP AACK/ANAK packets
Q.933: Add a missing bounds check
RADIUS: Add Value 13 "VLAN" to Tunnel-Type attribute
RADIUS: Filter out non-printable characters
RADIUS: Translate UDP/1700 as RADIUS
RESP: Do better checking of RESP packets
RPKI-RTR: Add a return value check for "fn_printn" call
RPKI-RTR: Remove printing when truncated condition already detected
RPL: Fix 'Consistency Check' control code
RPL: Fix suboption print
RSVP: An INTEGRITY object in a submessage covers only the submessage
RSVP: Fix an infinite loop; Add bounds and length checks
RSVP: Fix some if statements missing brackets
RSVP: Have signature_verify() do the copying and clearing
RTCP: Add some bounds checks
RTP: Add some bounds checks, fix two segmentation faults
SCTP: Do more bounds checking
SFLOW: Fix bounds checking
SLOW: Fix bugs, add checks
SMB: Before fetching the flags2 field, make sure we have it
SMB: Do bounds checks on NBNS resource types and resource data lengths
SNMP: Clean up the "have libsmi but no modules loaded" case
SNMP: Clean up the object abbreviation list and fix the code to match them
SNMP: Do bounds checks when printing character and octet strings
SNMP: Improve ASN.1 bounds checks
SNMP: More bounds and length checks
STP: Add a bunch of bounds checks, and fix some printing (Fix heap overflows)
STP: Filter out non-printable characters
TCP: Add bounds and length checks for packets with TCP option 20
TCP: Correct TCP option Kind value for TCP Auth and add SCPS-TP
TCP: Fix two bounds checks (Fix heap overflows)
TCP: Make sure we have the data offset field before fetching it (Fix a heap overflow)
TCP: Put TCP-AO option decoding right
TFTP: Don't use strchr() to scan packet data (Fix a heap overflow)
Telnet: Add some bounds checks
TokenRing: Fix -e output
UDLD: Fix an infinite loop
UDP: Add a bounds check (Fix a heap overflow)
UDP: Check against the packet length first
UDP: Don't do the DDP-over-UDP heuristic check up front
VAT: Add some bounds checks
VTP: Add a test on Mgmt Domain Name length
VTP: Add bounds checks and filter out non-printable characters
VXLAN: Add a bound check and a test case
ZeroMQ: Fix an infinite loop
Tuesday April 14, 2015 guy@alum.mit.edu
Summary for 4.8.0 tcpdump release
Fix "-x" for Apple PKTAP and PPI packets
Bug: N/A
Test: "adb shell tcpdump"
Change-Id: I81df72cf1ebdbe61c5b6069d8532ae817570f23f
diff --git a/print-babel.c b/print-babel.c
index 75cb32c..f8741d7 100644
--- a/print-babel.c
+++ b/print-babel.c
@@ -26,17 +26,18 @@
* SUCH DAMAGE.
*/
-#define NETDISSECT_REWORKED
+/* \summary: Babel Routing Protocol printer */
+
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
-#include <tcpdump-stdinc.h>
+#include <netdissect-stdinc.h>
#include <stdio.h>
#include <string.h>
-#include "interface.h"
+#include "netdissect.h"
#include "addrtoname.h"
#include "extract.h"
@@ -53,7 +54,7 @@
ND_TCHECK2(*cp, 4);
if(cp[0] != 42) {
- ND_PRINT((ndo, " malformed header"));
+ ND_PRINT((ndo, " invalid header"));
return;
} else {
ND_PRINT((ndo, " %d", cp[1]));
@@ -89,6 +90,9 @@
#define MESSAGE_MH_REQUEST 10
#define MESSAGE_TSPC 11
#define MESSAGE_HMAC 12
+#define MESSAGE_UPDATE_SRC_SPECIFIC 13
+#define MESSAGE_REQUEST_SRC_SPECIFIC 14
+#define MESSAGE_MH_REQUEST_SRC_SPECIFIC 15
/* sub-TLVs */
#define MESSAGE_SUB_PAD1 0
@@ -123,11 +127,7 @@
if(plen >= 96 && memcmp(prefix, v4prefix, 12) == 0)
snprintf(buf, 50, "%s/%u", ipaddr_string(ndo, prefix + 12), plen - 96);
else
-#ifdef INET6
snprintf(buf, 50, "%s/%u", ip6addr_string(ndo, prefix), plen);
-#else
- snprintf(buf, 50, "IPv6 addresses not supported");
-#endif
buf[49] = '\0';
return buf;
}
@@ -138,11 +138,7 @@
if(memcmp(prefix, v4prefix, 12) == 0)
return ipaddr_string(ndo, prefix + 12);
else
-#ifdef INET6
return ip6addr_string(ndo, prefix);
-#else
- return "IPv6 addresses not supported";
-#endif
}
static const char *
@@ -284,10 +280,10 @@
continue;
}
if(cp == ep)
- goto corrupt;
+ goto invalid;
sublen = *cp++;
if(cp + sublen > ep)
- goto corrupt;
+ goto invalid;
switch(subtype) {
case MESSAGE_SUB_PADN:
@@ -305,19 +301,20 @@
ND_PRINT((ndo, "%s%s", sep, tok2str(diversity_str, "%u", *cp++)));
sep = "-";
}
- if(tlv_type != MESSAGE_UPDATE)
+ if(tlv_type != MESSAGE_UPDATE &&
+ tlv_type != MESSAGE_UPDATE_SRC_SPECIFIC)
ND_PRINT((ndo, " (bogus)"));
break;
case MESSAGE_SUB_TIMESTAMP:
ND_PRINT((ndo, " sub-timestamp"));
if(tlv_type == MESSAGE_HELLO) {
if(sublen < 4)
- goto corrupt;
+ goto invalid;
t1 = EXTRACT_32BITS(cp);
ND_PRINT((ndo, " %s", format_timestamp(t1)));
} else if(tlv_type == MESSAGE_IHU) {
if(sublen < 8)
- goto corrupt;
+ goto invalid;
t1 = EXTRACT_32BITS(cp);
ND_PRINT((ndo, " %s", format_timestamp(t1)));
t2 = EXTRACT_32BITS(cp + 4);
@@ -333,12 +330,12 @@
} /* while */
return;
- corrupt:
- ND_PRINT((ndo, " (corrupt)"));
+ invalid:
+ ND_PRINT((ndo, "%s", istr));
}
#define ICHECK(i, l) \
- if ((i) + (l) > bodylen || (i) + (l) > length) goto corrupt;
+ if ((i) + (l) > bodylen || (i) + (l) > length) goto invalid;
static void
babel_print_v2(netdissect_options *ndo,
@@ -352,7 +349,7 @@
ND_TCHECK2(*cp, 4);
if (length < 4)
- goto corrupt;
+ goto invalid;
bodylen = EXTRACT_16BITS(cp + 2);
ND_PRINT((ndo, " (%u)", bodylen));
@@ -393,7 +390,7 @@
ND_PRINT((ndo, " ack-req"));
else {
ND_PRINT((ndo, "\n\tAcknowledgment Request "));
- if(len < 6) goto corrupt;
+ if(len < 6) goto invalid;
nonce = EXTRACT_16BITS(message + 4);
interval = EXTRACT_16BITS(message + 6);
ND_PRINT((ndo, "%04x %s", nonce, format_interval(interval)));
@@ -407,7 +404,7 @@
ND_PRINT((ndo, " ack"));
else {
ND_PRINT((ndo, "\n\tAcknowledgment "));
- if(len < 2) goto corrupt;
+ if(len < 2) goto invalid;
nonce = EXTRACT_16BITS(message + 2);
ND_PRINT((ndo, "%04x", nonce));
}
@@ -420,7 +417,7 @@
ND_PRINT((ndo, " hello"));
else {
ND_PRINT((ndo, "\n\tHello "));
- if(len < 6) goto corrupt;
+ if(len < 6) goto invalid;
seqno = EXTRACT_16BITS(message + 4);
interval = EXTRACT_16BITS(message + 6);
ND_PRINT((ndo, "seqno %u interval %s", seqno, format_interval(interval)));
@@ -439,7 +436,7 @@
u_char address[16];
int rc;
ND_PRINT((ndo, "\n\tIHU "));
- if(len < 6) goto corrupt;
+ if(len < 6) goto invalid;
txcost = EXTRACT_16BITS(message + 4);
interval = EXTRACT_16BITS(message + 6);
rc = network_address(message[2], message + 8, len - 6, address);
@@ -459,7 +456,7 @@
ND_PRINT((ndo, " router-id"));
else {
ND_PRINT((ndo, "\n\tRouter Id"));
- if(len < 10) goto corrupt;
+ if(len < 10) goto invalid;
ND_PRINT((ndo, " %s", format_id(message + 4)));
}
}
@@ -472,9 +469,9 @@
int rc;
u_char nh[16];
ND_PRINT((ndo, "\n\tNext Hop"));
- if(len < 2) goto corrupt;
+ if(len < 2) goto invalid;
rc = network_address(message[2], message + 4, len - 2, nh);
- if(rc < 0) goto corrupt;
+ if(rc < 0) goto invalid;
ND_PRINT((ndo, " %s", format_address(ndo, nh)));
}
}
@@ -496,13 +493,13 @@
int rc;
u_char prefix[16];
ND_PRINT((ndo, "\n\tUpdate"));
- if(len < 10) goto corrupt;
+ if(len < 10) goto invalid;
plen = message[4] + (message[2] == 1 ? 96 : 0);
rc = network_prefix(message[2], message[4], message[5],
message + 12,
message[2] == 1 ? v4_prefix : v6_prefix,
len - 10, prefix);
- if(rc < 0) goto corrupt;
+ if(rc < 0) goto invalid;
interval = EXTRACT_16BITS(message + 6);
seqno = EXTRACT_16BITS(message + 8);
metric = EXTRACT_16BITS(message + 10);
@@ -532,11 +529,11 @@
int rc;
u_char prefix[16], plen;
ND_PRINT((ndo, "\n\tRequest "));
- if(len < 2) goto corrupt;
+ if(len < 2) goto invalid;
plen = message[3] + (message[2] == 1 ? 96 : 0);
rc = network_prefix(message[2], message[3], 0,
message + 4, NULL, len - 2, prefix);
- if(rc < 0) goto corrupt;
+ if(rc < 0) goto invalid;
ND_PRINT((ndo, "for %s",
message[2] == 0 ? "any" : format_prefix(ndo, prefix, plen)));
}
@@ -551,11 +548,11 @@
u_short seqno;
u_char prefix[16], plen;
ND_PRINT((ndo, "\n\tMH-Request "));
- if(len < 14) goto corrupt;
+ if(len < 14) goto invalid;
seqno = EXTRACT_16BITS(message + 4);
rc = network_prefix(message[2], message[3], 0,
message + 16, NULL, len - 14, prefix);
- if(rc < 0) goto corrupt;
+ if(rc < 0) goto invalid;
plen = message[3] + (message[2] == 1 ? 96 : 0);
ND_PRINT((ndo, "(%u hops) for %s seqno %u id %s",
message[6], format_prefix(ndo, prefix, plen),
@@ -568,7 +565,7 @@
ND_PRINT((ndo, " tspc"));
else {
ND_PRINT((ndo, "\n\tTS/PC "));
- if(len < 6) goto corrupt;
+ if(len < 6) goto invalid;
ND_PRINT((ndo, "timestamp %u packetcounter %u", EXTRACT_32BITS (message + 4),
EXTRACT_16BITS(message + 2)));
}
@@ -579,13 +576,127 @@
else {
unsigned j;
ND_PRINT((ndo, "\n\tHMAC "));
- if(len < 18) goto corrupt;
+ if(len < 18) goto invalid;
ND_PRINT((ndo, "key-id %u digest-%u ", EXTRACT_16BITS(message + 2), len - 2));
for (j = 0; j < len - 2; j++)
ND_PRINT((ndo, "%02X", message[4 + j]));
}
}
break;
+
+ case MESSAGE_UPDATE_SRC_SPECIFIC : {
+ if(!ndo->ndo_vflag) {
+ ND_PRINT((ndo, " ss-update"));
+ } else {
+ u_char prefix[16], src_prefix[16];
+ u_short interval, seqno, metric;
+ u_char ae, plen, src_plen, omitted;
+ int rc;
+ int parsed_len = 10;
+ ND_PRINT((ndo, "\n\tSS-Update"));
+ if(len < 10) goto invalid;
+ ae = message[2];
+ src_plen = message[3];
+ plen = message[4];
+ omitted = message[5];
+ interval = EXTRACT_16BITS(message + 6);
+ seqno = EXTRACT_16BITS(message + 8);
+ metric = EXTRACT_16BITS(message + 10);
+ rc = network_prefix(ae, plen, omitted, message + 2 + parsed_len,
+ ae == 1 ? v4_prefix : v6_prefix,
+ len - parsed_len, prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ plen += 96;
+ parsed_len += rc;
+ rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len,
+ NULL, len - parsed_len, src_prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ src_plen += 96;
+ parsed_len += rc;
+
+ ND_PRINT((ndo, " %s from", format_prefix(ndo, prefix, plen)));
+ ND_PRINT((ndo, " %s metric %u seqno %u interval %s",
+ format_prefix(ndo, src_prefix, src_plen),
+ metric, seqno, format_interval_update(interval)));
+ /* extra data? */
+ if((u_int)parsed_len < len)
+ subtlvs_print(ndo, message + 2 + parsed_len,
+ message + 2 + len, type);
+ }
+ }
+ break;
+
+ case MESSAGE_REQUEST_SRC_SPECIFIC : {
+ if(!ndo->ndo_vflag)
+ ND_PRINT((ndo, " ss-request"));
+ else {
+ int rc, parsed_len = 3;
+ u_char ae, plen, src_plen, prefix[16], src_prefix[16];
+ ND_PRINT((ndo, "\n\tSS-Request "));
+ if(len < 3) goto invalid;
+ ae = message[2];
+ plen = message[3];
+ src_plen = message[4];
+ rc = network_prefix(ae, plen, 0, message + 2 + parsed_len,
+ NULL, len - parsed_len, prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ plen += 96;
+ parsed_len += rc;
+ rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len,
+ NULL, len - parsed_len, src_prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ src_plen += 96;
+ parsed_len += rc;
+ if(ae == 0) {
+ ND_PRINT((ndo, "for any"));
+ } else {
+ ND_PRINT((ndo, "for (%s, ", format_prefix(ndo, prefix, plen)));
+ ND_PRINT((ndo, "%s)", format_prefix(ndo, src_prefix, src_plen)));
+ }
+ }
+ }
+ break;
+
+ case MESSAGE_MH_REQUEST_SRC_SPECIFIC : {
+ if(!ndo->ndo_vflag)
+ ND_PRINT((ndo, " ss-mh-request"));
+ else {
+ int rc, parsed_len = 14;
+ u_short seqno;
+ u_char ae, plen, src_plen, prefix[16], src_prefix[16], hopc;
+ const u_char *router_id = NULL;
+ ND_PRINT((ndo, "\n\tSS-MH-Request "));
+ if(len < 14) goto invalid;
+ ae = message[2];
+ plen = message[3];
+ seqno = EXTRACT_16BITS(message + 4);
+ hopc = message[6];
+ src_plen = message[7];
+ router_id = message + 8;
+ rc = network_prefix(ae, plen, 0, message + 2 + parsed_len,
+ NULL, len - parsed_len, prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ plen += 96;
+ parsed_len += rc;
+ rc = network_prefix(ae, src_plen, 0, message + 2 + parsed_len,
+ NULL, len - parsed_len, src_prefix);
+ if(rc < 0) goto invalid;
+ if(ae == 1)
+ src_plen += 96;
+ ND_PRINT((ndo, "(%u hops) for (%s, ",
+ hopc, format_prefix(ndo, prefix, plen)));
+ ND_PRINT((ndo, "%s) seqno %u id %s",
+ format_prefix(ndo, src_prefix, src_plen),
+ seqno, format_id(router_id)));
+ }
+ }
+ break;
+
default:
if (!ndo->ndo_vflag)
ND_PRINT((ndo, " unknown"));
@@ -600,7 +711,7 @@
ND_PRINT((ndo, " %s", tstr));
return;
- corrupt:
- ND_PRINT((ndo, " (corrupt)"));
+ invalid:
+ ND_PRINT((ndo, "%s", istr));
return;
}