[2/6] batctl: tcpdump: Add missing throughput header length check

Message ID 20240127-tcpdump_fuzzing-v1-2-fbc1e1d3fec1@narfation.org (mailing list archive)
State Accepted, archived
Delegated to: Simon Wunderlich
Headers
Series batctl: tcpdump: Fix problems detected during fuzzing |

Commit Message

Sven Eckelmann Jan. 27, 2024, 12:49 p.m. UTC
  dump_batman_icmp() is only doing a length check for the original ICMP
packet length. But the throughput packet (which is also handled by this
function) is accessed without doing an additional length check. So it is
possible that it tries to read outside of the received data.

Fixes: f109b3473f86 ("batctl: introduce throughput meter support")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 tcpdump.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
  

Patch

diff --git a/tcpdump.c b/tcpdump.c
index d15c32e..9bb4b9e 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -911,7 +911,6 @@  static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r
 	LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(struct batadv_icmp_packet), "BAT ICMP");
 
 	icmp_packet = (struct batadv_icmp_packet *)(packet_buff + sizeof(struct ether_header));
-	tp = (struct batadv_icmp_tp_packet *)icmp_packet;
 
 	if (!time_printed)
 		print_time();
@@ -942,6 +941,10 @@  static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r
 			(size_t)buff_len - sizeof(struct ether_header));
 		break;
 	case BATADV_TP:
+		LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(*tp), "BAT TP");
+
+		tp = (struct batadv_icmp_tp_packet *)icmp_packet;
+
 		printf("%s: ICMP TP type %s (%hhu), id %hhu, seq %u, ttl %2d, v %d, length %zu\n",
 		       name, tp->subtype == BATADV_TP_MSG ? "MSG" :
 			     tp->subtype == BATADV_TP_ACK ? "ACK" : "N/A",