Skip to content

Commit 211124b

Browse files
committed
(for 4.9.3) CVE-2018-16229/DCCP: Fix printing "Timestamp" and "Timestamp Echo" options
Add some comments. Moreover: Put a function definition name at the beginning of the line. (This change was ported from commit 6df4852 in the master branch.) Ryan Ackroyd had independently identified this buffer over-read later by means of fuzzing and provided the packet capture file for the test.
1 parent 4846b3c commit 211124b

File tree

4 files changed

+66
-7
lines changed

4 files changed

+66
-7
lines changed

Diff for: print-dccp.c

+46-7
Original file line numberDiff line numberDiff line change
@@ -530,7 +530,8 @@ static const struct tok dccp_option_values[] = {
530530
{ 0, NULL }
531531
};
532532

533-
static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
533+
static int
534+
dccp_print_option(netdissect_options *ndo, const u_char *option, u_int hlen)
534535
{
535536
uint8_t optlen, i;
536537

@@ -623,24 +624,62 @@ static int dccp_print_option(netdissect_options *ndo, const u_char *option, u_in
623624
}
624625
break;
625626
case 41:
626-
if (optlen == 4)
627+
/*
628+
* 13.1. Timestamp Option
629+
*
630+
* +--------+--------+--------+--------+--------+--------+
631+
* |00101001|00000110| Timestamp Value |
632+
* +--------+--------+--------+--------+--------+--------+
633+
* Type=41 Length=6
634+
*/
635+
if (optlen == 6)
627636
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
628637
else
629-
ND_PRINT((ndo, " optlen != 4"));
638+
ND_PRINT((ndo, " [optlen != 6]"));
630639
break;
631640
case 42:
632-
if (optlen == 4)
641+
/*
642+
* 13.3. Timestamp Echo Option
643+
*
644+
* +--------+--------+--------+--------+--------+--------+
645+
* |00101010|00000110| Timestamp Echo |
646+
* +--------+--------+--------+--------+--------+--------+
647+
* Type=42 Len=6
648+
*
649+
* +--------+--------+------- ... -------+--------+--------+
650+
* |00101010|00001000| Timestamp Echo | Elapsed Time |
651+
* +--------+--------+------- ... -------+--------+--------+
652+
* Type=42 Len=8 (4 bytes)
653+
*
654+
* +--------+--------+------- ... -------+------- ... -------+
655+
* |00101010|00001010| Timestamp Echo | Elapsed Time |
656+
* +--------+--------+------- ... -------+------- ... -------+
657+
* Type=42 Len=10 (4 bytes) (4 bytes)
658+
*/
659+
switch (optlen) {
660+
case 6:
633661
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
634-
else
635-
ND_PRINT((ndo, " optlen != 4"));
662+
break;
663+
case 8:
664+
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
665+
ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_16BITS(option + 6)));
666+
break;
667+
case 10:
668+
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
669+
ND_PRINT((ndo, " (elapsed time %u)", EXTRACT_32BITS(option + 6)));
670+
break;
671+
default:
672+
ND_PRINT((ndo, " [optlen != 6 or 8 or 10]"));
673+
break;
674+
}
636675
break;
637676
case 43:
638677
if (optlen == 6)
639678
ND_PRINT((ndo, " %u", EXTRACT_32BITS(option + 2)));
640679
else if (optlen == 4)
641680
ND_PRINT((ndo, " %u", EXTRACT_16BITS(option + 2)));
642681
else
643-
ND_PRINT((ndo, " optlen != 4 or 6"));
682+
ND_PRINT((ndo, " [optlen != 4 or 6]"));
644683
break;
645684
case 44:
646685
if (optlen > 2) {

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -604,6 +604,7 @@ hncp_prefix-oobr hncp_prefix-oobr.pcapng hncp_prefix-oobr.out -vvv
604604

605605
# bad packets from Ryan Ackroyd
606606
ieee802.11_meshhdr-oobr ieee802.11_meshhdr-oobr.pcap ieee802.11_meshhdr-oobr.out -H -c1
607+
dccp_options-oobr dccp_options-oobr.pcap dccp_options-oobr.out -vv -c8
607608

608609
# RTP tests
609610
# fuzzed pcap

Diff for: tests/dccp_options-oobr.out

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
IP (tos 0x0, ttl 64, id 65312, offset 0, flags [DF], proto DCCP (33), length 52)
2+
139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xaaf3 (incorrect -> 0x8bf3)) DCCP-Request (service=-189888898) seq 8 <nop, nop, nop, nop, change_l ack_ratio 2, change_r ccid 2, change_l ccid 2>
3+
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto DCCP (33), length 68)
4+
139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, ) DCCP-Response (service=0) (ack=38464816766) seq 1960341146 <nop, nop, change_l ack_ratio 2, [|dccp]>
5+
IP (tos 0x0, ttl 64, id 65313, offset 0, flags [DF], proto DCCP (33), length 56)
6+
139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xf53a (incorrect -> 0xf551)) DCCP-Ack (ack=1960341146) seq 38464816767 <nop, confirm_r ack_ratio 2, ack_vector0 0xe9, timestamp_echo [optlen != 6 or 8 or 10]>
7+
IP (tos 0x0, ttl 64, id 65314, offset 0, flags [DF], proto DCCP (33), length 152)
8+
139.133.209.176.46076 > 139.133.209.65.48009: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341146) seq 38464816768 <nop, nop, ack_vector0 0x00, elapsed_time 1249, ndp_count 1>
9+
IP (tos 0x0, ttl 64, id 3176, offset 0, flags [DF], proto DCCP (33), length 52)
10+
139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0xfc63 (correct)) DCCP-Ack (ack=38464816768) seq 1960341147 <nop, ack_vector0 0x01, elapsed_time 1>
11+
IP (tos 0x0, ttl 64, id 65315, offset 0, flags [DF], proto DCCP (33), length 148)
12+
139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 6, ) DCCP-DataAck (ack=1960341147) seq 38464816769 <nop, ack_vector0 0x00, elapsed_time 84>
13+
IP (tos 0x0, ttl 64, id 3177, offset 0, flags [DF], proto DCCP (33), length 52)
14+
139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, cksum 0x0165 (correct)) DCCP-Ack (ack=38464816769) seq 1960341148 <nop, nop, ack_vector0 0x00, ndp_count 1>
15+
00:07:00:42:00:00 > 00:14:22:59:55:51 Null Information, send seq 0, rcv seq 0, Flags [Command], length 148
16+
0x0000: 0000 0000 1422 5955 5100 07e9 bd5d 1f08 ....."YUQ....]..
17+
0x0010: 0045 0000 34ff 2040 0040 2181 8b8b 85d1 .E..4..@.@!.....
18+
0x0020: b08b 85d1 4199 fc13 8908 00aa f320 0000 ....A...........
19+
0x0030: 08f4 ae86 7e00 0000 ....~...

Diff for: tests/dccp_options-oobr.pcap

3.22 KB
Binary file not shown.

0 commit comments

Comments
 (0)