Skip to content

Commit 0b661e0

Browse files
committed
(for 4.9.3) LMP: Add some missing bounds checks
In lmp_print_data_link_subobjs(), these problems were identified through code review. Moreover: Add and use tstr[]. Update two tests outputs accordingly.
1 parent d97e942 commit 0b661e0

File tree

3 files changed

+11
-7
lines changed

3 files changed

+11
-7
lines changed

Diff for: print-lmp.c

+8-1
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@
3131
#include "addrtoname.h"
3232
#include "gmpls.h"
3333

34+
static const char tstr[] = " [|LMP]";
35+
3436
/*
3537
* LMP common header
3638
*
@@ -367,6 +369,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
367369
} bw;
368370

369371
while (total_subobj_len > 0 && hexdump == FALSE ) {
372+
ND_TCHECK_16BITS(obj_tptr + offset);
370373
subobj_type = EXTRACT_8BITS(obj_tptr + offset);
371374
subobj_len = EXTRACT_8BITS(obj_tptr + offset + 1);
372375
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
@@ -389,11 +392,13 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
389392
}
390393
switch(subobj_type) {
391394
case INT_SWITCHING_TYPE_SUBOBJ:
395+
ND_TCHECK_8BITS(obj_tptr + offset + 2);
392396
ND_PRINT((ndo, "\n\t Switching Type: %s (%u)",
393397
tok2str(gmpls_switch_cap_values,
394398
"Unknown",
395399
EXTRACT_8BITS(obj_tptr + offset + 2)),
396400
EXTRACT_8BITS(obj_tptr + offset + 2)));
401+
ND_TCHECK_8BITS(obj_tptr + offset + 3);
397402
ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)",
398403
tok2str(gmpls_encoding_values,
399404
"Unknown",
@@ -403,11 +408,13 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
403408
bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
404409
ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
405410
bw.f*8/1000000));
411+
ND_TCHECK_32BITS(obj_tptr + offset + 8);
406412
bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
407413
ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps",
408414
bw.f*8/1000000));
409415
break;
410416
case WAVELENGTH_SUBOBJ:
417+
ND_TCHECK_32BITS(obj_tptr + offset + 4);
411418
ND_PRINT((ndo, "\n\t Wavelength: %u",
412419
EXTRACT_32BITS(obj_tptr+offset+4)));
413420
break;
@@ -1141,7 +1148,7 @@ lmp_print(netdissect_options *ndo,
11411148
}
11421149
return;
11431150
trunc:
1144-
ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
1151+
ND_PRINT((ndo, "%s", tstr));
11451152
}
11461153
/*
11471154
* Local Variables:

Diff for: tests/lmp-lmp_print_data_link_subobjs-oobr.out

+2-4
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,7 @@ IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP
77
Remote Interface ID: 3657433088 (0xda000000)
88
Subobject, Type: Interface Switching Type (1), Length: 4
99
Switching Type: Unknown (0)
10-
Encoding Type: Unknown (0)
11-
packet exceeded snapshot
10+
Encoding Type: Unknown (0) [|LMP]
1211
IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
1312
17.8.8.255.701 > 40.184.42.8.12:
1413
LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
@@ -18,5 +17,4 @@ IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP
1817
Remote Interface ID: 3657433088 (0xda000000)
1918
Subobject, Type: Interface Switching Type (1), Length: 4
2019
Switching Type: Unknown (0)
21-
Encoding Type: Unknown (0)
22-
packet exceeded snapshot
20+
Encoding Type: Unknown (0) [|LMP]

Diff for: tests/lmpv1_busyloop.out

+1-2
Original file line numberDiff line numberDiff line change
@@ -38,5 +38,4 @@
3838
0x01d0: 0200 0200 0002 0002 0000 0200 0200 0002
3939
0x01e0: 0002 0000 0200 0200 0002 0002 0000 0200
4040
0x01f0: 0200 0002 0002 0000 0200 0200 0002 0002
41-
Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512
42-
packet exceeded snapshot
41+
Unknown Object (0), Class-Type: Unknown (0) Flags: [non-negotiable], length: 512 [|LMP]

0 commit comments

Comments
 (0)