While we're at it, clean up some other bounds checks, so we check that we have a complete IPv4 message header if it's IPv4 and a complete IPv6 message header if it's IPv6. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add tests using the capture files supplied by the reporter(s).
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->9764)!) | ||
| 15.251.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056 | ||
| Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145 | ||
| vtime 0.062s, msg-seq 0x0008, length 127[|olsr] | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
infrastation
Member
|
||
| IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->975f)!) | ||
| 16.0.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0400, length 512 | ||
| Powerinfo Message (0x80), originator 0.1.0.0, ttl 255, hop 255 | ||
| vtime 0.500s, msg-seq 0x0000, length 9216 (invalid) | ||
| IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->9764)!) | ||
| 15.251.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056 | ||
| Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145 | ||
| vtime 0.062s, msg-seq 0x0008, length 100[|olsr] | ||
| IP truncated-ip - 2315 bytes missing! (tos 0x0, ttl 18, id 4111, offset 0, flags [+, DF, rsvd], proto UDP (17), length 5373, bad cksum 8e7f (->975f)!) | ||
| 16.0.128.192.698 > 193.192.186.0.122: OLSRv4, seq 0x0800, length 2056 | ||
| Nameservice Message (0x82), originator 126.198.193.192, ttl 26, hop 145 | ||
| vtime 0.062s, msg-seq 0x5c50, length 185[|olsr] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| [|ether] | ||
| [|ether] | ||
| IP6 (flowlabel 0x06400, hlim 0, next-header UDP (17) payload length: 5401) 0:24::1e:a0a:141e.698 > 38fd:7f49:eaff:ffff:2025:7373:7562:2573.2: OLSRv6, seq 0x0201, length 5393[|olsr] |
A slight failure on this test using MSVC. The diff:
A whopping 1 msec!
The same for the other
vtimevalues. Caused by theME_TO_DOUBLE()macro used inprint-olsr.c.Seems this macro ass-u_mes gcc.
Edit: I ran all tests using my Python-script, not the bash/perl stuff (works like a charm).