From patchwork Sat Jan 27 12:49:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18621 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id C5A0383FAA for ; Sat, 27 Jan 2024 13:51:38 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359898; b=lZrwnTn18BPD2zXYVNCvW1Mi1AfTv6jdQO26ZgJ/jqZNT9qh6x/miiwL0NZVa7AVwm26j wMoeoCMxMzBd5ObNY5jynJLvEYaQntKEhW4cblCTO7xAAeQY7HiW7q6tmYQwyPLVU7JTHPi /lFecLX8Oy1CJj7nQ73OQFVMNFp0MLw= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359898; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=LILrMaUEWtD9kbHsrMcmIlb7ajeVcFOXmw/FusYz8gCFyfrn9+Co1rc7vflbAqCyjKDxN /ArIrZDCKfLUApq0TwM3Bw47GgNyh9b0D9bSiSRdOXpbKN7Cmf0lW5XTXkm+PoLrhiPp7Xx D4Kz+M0dIzJTOc2qSoTNi7ihKjVL8fk= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 9493E83E50 for ; Sat, 27 Jan 2024 13:49:40 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=jtU8Yj7lzNK/cz8YNzsNcMs/eVPP8cDFdebAdrkYqC5lGAvAXrQfz5XiqGy9CHrrSReOVI hXLINVEYOr9CxkwUiicSkkdIsIJd43eH3ksqgTNp6YDNP3u0QMidYjJALpd35EIV/7UIxb ylRV+XxlRjZrO74nj8f8C1ik9zIzERo= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359780; a=rsa-sha256; cv=none; b=X8eEeHW3HQyyoV76fcz1285toUSL2xFUr1viAIMtjb0FEY99fSNK7rzZgpzu8J/33WYOjB 8fmUiD/gqpTtKwwB1PyuJ7hv8h9H0x4+A5C6JWFSUB3AaX3vbRqt6lvHBJ8+p1rle79yBj c00M54ryrDH6k3mBDWDL6iQXHpbiPVY= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b=kTh+VrRC; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=kTh+VrRCyxtwLvZ11Tl+vGObNtsHMFsSM9072vWX/GmsnPI/weqa9P8Kx5H7tWNv7ZaB9/ kCeNEbgS9Gq/S/2kpCS8X1gUfRf/B7XJmXwz+WhW5d+99cspTBROLxTJZaEnxJpDGe2iiJ VqkhdlwJLjWP0pYEBsFPqRHvvKZcDTA= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:00 +0100 Subject: [PATCH 2/6] batctl: tcpdump: Add missing throughput header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-2-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1529; i=sven@narfation.org; h=from:subject:message-id; bh=7wrGpjc1T1ftj6xlo9ovUP1bb+CCPI4G3XrkPhbuRoc=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvg3nRz4JX6GrZpFb2Rig/WIc/KKYh60LpMH Kp8txXKLlyJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74AAKCRBdhwoHwSZ7 RqOOD/4gXGXxuxH0bvQIvvt1g55kEEmSYGMeE3j5DL5ldlu06+3W/Fpy6FCd/iiAkQI8ciEpOKD OaZ9gBSyamQwNiadjyLPX2MxY3PNPX1sDnOtaRZYIyXwazAvWpVth++nhNpGzizL5yJa3cTGZ+5 ag4wFQeoi4/VqKF12IcBOL+adC2el4SlCi869bLCk9VEpqdvWmPIGvYfgNWf3EiZ+sGAiOn8/HH OXVvEoMBmxj7m96ceahyvQc1gYgWaY7HEMVKWAOKyJtbk0NTEjaZzbWjBZIRqNzoibGM5clqKKU msh0OcQKUdhYDajtf05fLyKt2XD7c2LEnnYZi3y2DEtypeQgFXuH61i6Z4aaPwQwya8kTQ2/mQB Rteu6BqkB7DpqZw3YYAVqjafdbkbiMy5lwkVfxS0zHubz7217SWdeW0OHeIYcYM/2c23h8b2Zxm tCbTYyVyDTRo7hygVTJ9he5IT7R3L2RgbZsgp6XfDSaLZv4kdg1VpJuubzK/vHsHVrfNVfgaFwa mpVhznunPB6UKvl2q19mwsUAKL74FUuOAuiNUZYiYsBdCK4IHAtg7pJtkgwTj6keDnPvHl9Qy8d O4wB/mOsT3xsSoP+q1MSIigwjdsDX0STo47WL1WyM88fJVDQWeZV+/Ud4jRMrVBnytr65WZJYEK 0nxDG400bfnVRHQ== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: JBSX6CDCJSYXKYSIM4YAICYHBOQRYNTS X-Message-ID-Hash: JBSX6CDCJSYXKYSIM4YAICYHBOQRYNTS X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_batman_icmp() is only doing a length check for the original ICMP packet length. But the throughput packet (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data. Fixes: f109b3473f86 ("batctl: introduce throughput meter support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tcpdump.c b/tcpdump.c index d15c32e..9bb4b9e 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -911,7 +911,6 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(struct batadv_icmp_packet), "BAT ICMP"); icmp_packet = (struct batadv_icmp_packet *)(packet_buff + sizeof(struct ether_header)); - tp = (struct batadv_icmp_tp_packet *)icmp_packet; if (!time_printed) print_time(); @@ -942,6 +941,10 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r (size_t)buff_len - sizeof(struct ether_header)); break; case BATADV_TP: + LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(*tp), "BAT TP"); + + tp = (struct batadv_icmp_tp_packet *)icmp_packet; + printf("%s: ICMP TP type %s (%hhu), id %hhu, seq %u, ttl %2d, v %d, length %zu\n", name, tp->subtype == BATADV_TP_MSG ? "MSG" : tp->subtype == BATADV_TP_ACK ? "ACK" : "N/A",