diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-03-12 10:10:43 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-03-12 10:10:43 +0000 |
| commit | 1af25862194f2a7cec6c8881c8adb807c4b1e16f (patch) | |
| tree | bcebc4eabe607cb5675f6c836124710f9664886c /usr.sbin/tcpdump | |
| parent | 5c00aff215d29bc11d0d52cb690c3d26cfd730d2 (diff) | |
Check payload size more carefully when printing ike messages. Identified by
cloder@.
ok ho@ otto@ cloder@
Diffstat (limited to 'usr.sbin/tcpdump')
| -rw-r--r-- | usr.sbin/tcpdump/ike.h | 27 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-ike.c | 14 |
2 files changed, 35 insertions, 6 deletions
diff --git a/usr.sbin/tcpdump/ike.h b/usr.sbin/tcpdump/ike.h index 55fc3a2ac19..4ea72037e5b 100644 --- a/usr.sbin/tcpdump/ike.h +++ b/usr.sbin/tcpdump/ike.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.h,v 1.6 2003/12/18 09:14:18 ho Exp $ */ +/* $OpenBSD: ike.h,v 1.7 2004/03/12 10:10:42 hshoexer Exp $ */ /* * Copyright (c) 2001 Håkan Olsson. All rights reserved. @@ -111,6 +111,7 @@ #define PAYLOAD_ATTRIBUTE 14 #define PAYLOAD_NAT_D 15 #define PAYLOAD_NAT_OA 16 +#define PAYLOAD_RESERVED_MIN 17 #define IKE_PAYLOAD_TYPES_INITIALIZER \ { "NONE", /* 0 */ \ @@ -355,3 +356,27 @@ "INTERNAL_IP6_DHCP", "INTERNAL_IP4_SUBNET", \ "SUPPORTED_ATTRIBUTES", "INTERNAL_IP6_SUBNET", \ } + +#define ISAKMP_SA_SZ 8 +#define ISAKMP_PROP_SZ 8 +#define ISAKMP_TRANSFORM_SZ 8 +#define ISAKMP_KE_SZ 4 +#define ISAKMP_ID_SZ 8 +#define ISAKMP_CERT_SZ 5 +#define ISAKMP_CERTREQ_SZ 5 +#define ISAKMP_HASH_SZ 4 +#define ISAKMP_SIG_SZ 4 +#define ISAKMP_NONCE_SZ 4 +#define ISAKMP_NOTIFY_SZ 12 +#define ISAKMP_DELETE_SZ 12 +#define ISAKMP_VENDOR_SZ 4 +#define ISAKMP_ATTRIBUTE_SZ 8 +#define ISAKMP_NAT_D_SZ 4 +#define ISAKMP_NAT_OA_SZ 8 + +static u_int16_t min_payload_lengths[] = { + 0, ISAKMP_SA_SZ, ISAKMP_PROP_SZ, ISAKMP_TRANSFORM_SZ, ISAKMP_KE_SZ, + ISAKMP_ID_SZ, ISAKMP_CERT_SZ, ISAKMP_CERTREQ_SZ, ISAKMP_HASH_SZ, + ISAKMP_SIG_SZ, ISAKMP_NONCE_SZ, ISAKMP_NOTIFY_SZ, ISAKMP_DELETE_SZ, + ISAKMP_VENDOR_SZ, ISAKMP_ATTRIBUTE_SZ, ISAKMP_NAT_D_SZ, ISAKMP_NAT_OA_SZ +}; diff --git a/usr.sbin/tcpdump/print-ike.c b/usr.sbin/tcpdump/print-ike.c index 9b32aaebfde..70cc59f118f 100644 --- a/usr.sbin/tcpdump/print-ike.c +++ b/usr.sbin/tcpdump/print-ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-ike.c,v 1.19 2004/02/14 11:36:55 ho Exp $ */ +/* $OpenBSD: print-ike.c,v 1.20 2004/03/12 10:10:42 hshoexer Exp $ */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999 @@ -29,7 +29,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ike.c,v 1.19 2004/02/14 11:36:55 ho Exp $ (XXX)"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ike.c,v 1.20 2004/03/12 10:10:42 hshoexer Exp $ (XXX)"; #endif #include <sys/param.h> @@ -632,13 +632,17 @@ void ike_pl_print (u_int8_t type, u_int8_t *buf, u_int8_t doi) { static const char *pltypes[] = IKE_PAYLOAD_TYPES_INITIALIZER; - int next_type = buf[0]; - int this_len = buf[2]<<8 | buf[3]; + u_int8_t next_type = buf[0]; + u_int16_t this_len = buf[2]<<8 | buf[3]; - printf("\n\t%spayload: %s len: %d", ike_tab_offset(), + printf("\n\t%spayload: %s len: %hu", ike_tab_offset(), (type < (sizeof pltypes/sizeof pltypes[0]) ? pltypes[type] : "<unknown>"), this_len); + if ((type < PAYLOAD_RESERVED_MIN + && this_len < min_payload_lengths[type]) || this_len == 0) + goto pltrunc; + if ((u_int8_t *)&(buf[0]) > snapend - this_len) goto pltrunc; |