(for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and "Timest…

…amp Echo" options

Add some comments.

Moreover:
Put a function definition name at the beginning of the line.

(This change was ported from commit 6df4852 in the master branch.)

Ryan Ackroyd had independently identified this buffer over-read later by
means of fuzzing and provided the packet capture file for the test.

print-dccp.c

@@ -530,7 +530,8 @@ static const struct tok dccp_option_values[] = {
 	{ 0, NULL }
 };
 
-static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
+static int
+dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
 {
 	uint8_t optlen, i;
 
@@ -623,24 +624,62 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
 			}
 			break;
 		case 41:
-			if (optlen == 4)
+		/*
+		 * 13.1.  Timestamp Option
+		 *
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *  |00101001|00000110|          Timestamp Value          |
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *   Type=41  Length=6
+		 */
+			if (optlen == 6)
 				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
 			else
-				ND_PRINT((ndo, " optlen != 4"));
+				ND_PRINT((ndo, " [optlen != 6]"));
 			break;
 		case 42:
-			if (optlen == 4)
+		/*
+		 * 13.3.  Timestamp Echo Option
+		 *
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *  |00101010|00000110|           Timestamp Echo          |
+		 *  +--------+--------+--------+--------+--------+--------+
+		 *   Type=42    Len=6
+		 *
+		 *  +--------+--------+------- ... -------+--------+--------+
+		 *  |00101010|00001000|  Timestamp Echo   |   Elapsed Time  |
+		 *  +--------+--------+------- ... -------+--------+--------+
+		 *   Type=42    Len=8       (4 bytes)
+		 *
+		 *  +--------+--------+------- ... -------+------- ... -------+
+		 *  |00101010|00001010|  Timestamp Echo   |    Elapsed Time   |
+		 *  +--------+--------+------- ... -------+------- ... -------+
+		 *   Type=42   Len=10       (4 bytes)           (4 bytes)
+		 */
+			switch (optlen) {
+			case 6:
 				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
-			else
-				ND_PRINT((ndo, " optlen != 4"));
+				break;
+			case 8:
+				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+				ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_16BITS(option + 6)));
+				break;
+			case 10:
+				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
+				ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_32BITS(option + 6)));
+				break;
+			default:
+				ND_PRINT((ndo, " [optlen != 6 or 8 or 10]"));
+				break;
+			}
 			break;
 		case 43:
 			if (optlen == 6)
 				ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
 			else if (optlen == 4)
 				ND_PRINT((ndo, " %u", EXTRACT_16BITS(option + 2)));
 			else
-				ND_PRINT((ndo, " optlen != 4 or 6"));
+				ND_PRINT((ndo, " [optlen != 4 or 6]"));
 			break;
 		case 44:
 			if (optlen > 2) {

tests/TESTLIST

@@ -604,6 +604,7 @@ hncp_prefix-oobr	hncp_prefix-oobr.pcapng		hncp_prefix-oobr.out		-vvv
 
 # bad packets from Ryan Ackroyd
 ieee802.11_meshhdr-oobr	ieee802.11_meshhdr-oobr.pcap	ieee802.11_meshhdr-oobr.out	-H -c1
+dccp_options-oobr	dccp_options-oobr.pcap		dccp_options-oobr.out		-vv -c8
 
 # RTP tests
 # fuzzed pcap

tests/dccp_options-oobr.out

@@ -0,0 +1,19 @@
+IP (tos 0x0, ttl 64, id 65312, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xaaf3 (incorrect -> 0x8bf3)) DCCP-Request (service=-189888898) seq 8 <nop, nop, nop, nop, change_l ack_ratio 2, change_r ccid 2, change_l ccid 2>
+IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto DCCP (33), length 68)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, ) DCCP-Response (service=0) (ack=38464816766) seq 1960341146 <nop, nop, change_l ack_ratio 2, [|dccp]>
+IP (tos 0x0, ttl 64, id 65313, offset 0, flags [DF], proto DCCP (33), length 56)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xf53a (incorrect -> 0xf551)) DCCP-Ack (ack=1960341146) seq 38464816767 <nop, confirm_r ack_ratio 2, ack_vector0 0xe9, timestamp_echo [optlen != 6 or 8 or 10]>
+IP (tos 0x0, ttl 64, id 65314, offset 0, flags [DF], proto DCCP (33), length 152)
+    139.133.209.176.46076 > 139.133.209.65.48009: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341146) seq 38464816768 <nop, nop, ack_vector0 0x00, elapsed_time 1249, ndp_count 1>
+IP (tos 0x0, ttl 64, id 3176, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0xfc63 (correct)) DCCP-Ack (ack=38464816768) seq 1960341147 <nop, ack_vector0 0x01, elapsed_time 1>
+IP (tos 0x0, ttl 64, id 65315, offset 0, flags [DF], proto DCCP (33), length 148)
+    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341147) seq 38464816769 <nop, ack_vector0 0x00, elapsed_time 84>
+IP (tos 0x0, ttl 64, id 3177, offset 0, flags [DF], proto DCCP (33), length 52)
+    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0x0165 (correct)) DCCP-Ack (ack=38464816769) seq 1960341148 <nop, nop, ack_vector0 0x00, ndp_count 1>
+00:07:00:42:00:00 > 00:14:22:59:55:51 Null Information, send seq 0, rcv seq 0, Flags [Command], length 148
+	0x0000:  0000 0000 1422 5955 5100 07e9 bd5d 1f08  ....."YUQ....]..
+	0x0010:  0045 0000 34ff 2040 0040 2181 8b8b 85d1  .E..4..@.@!.....
+	0x0020:  b08b 85d1 4199 fc13 8908 00aa f320 0000  ....A...........
+	0x0030:  08f4 ae86 7e00 0000                      ....~...