[3/6] batctl: tcpdump: Fix IPv4 header length check

Message ID 20240127-tcpdump_fuzzing-v1-3-fbc1e1d3fec1@narfation.org (mailing list archive)
State Accepted, archived
Delegated to: Simon Wunderlich
Series batctl: tcpdump: Fix problems detected during fuzzing |

Commit Message

Sven Eckelmann Jan. 27, 2024, 12:49 p.m. UTC
  dump_ip() is directly accessing the header in the header length check and
assumes that ihl can be trusted. But when when ihl is set to something less
than 5 then it would not even be possible to store the basic IPv4 header in
it. But dump_ip would have still accepted it because it didn't check if
there are at least enough bytes available to read the basic IPv4 header. So
it is possible that it tries to read outside of the received data.

Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
 tcpdump.c | 2 ++
 1 file changed, 2 insertions(+)


diff --git a/tcpdump.c b/tcpdump.c
index 9bb4b9e..3fdd7c3 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -694,7 +694,9 @@  static void dump_ip(unsigned char *packet_buff, ssize_t buff_len,
 	struct icmphdr *icmphdr;
 	iphdr = (struct iphdr *)packet_buff;
+	LEN_CHECK((size_t)buff_len, sizeof(*iphdr), ip_string);
 	LEN_CHECK((size_t)buff_len, (size_t)(iphdr->ihl * 4), ip_string);
+	LEN_CHECK((size_t)(iphdr->ihl * 4), sizeof(*iphdr), ip_string);
 	if (!time_printed)