From patchwork Sat Jan 27 12:49:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18622 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id DFA8583FF9 for ; Sat, 27 Jan 2024 13:52:17 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359937; b=Ex9Iphk0533mfQict7jfGVwYGZNiH4aG9Bm0JqRWmlxgYg5Q3b3Wky1e3qe+IfE16HOc9 VlptyFskkg1Dw+HC/XZB66jwVp8FqOXXrT7eJ9sR957YaiPITpkiHn3SJtPWVoWWDW3kkQD xH9W5Y/nLklSme5Xto74v0FA3Vl9QCM= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359937; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=PqERmNfzD6wDUlqN/BeEuvPf+2kV/CyG1240r7tCrt63ZvhKHRt/gZNaJZyzo8fK7S+Rw AZ8xLjbSyVlh6KhPWTQ6+PO/bOVlsFErFcCqSPpdpIIYM9jYMvvd/LaJ/0Of2axXRH7YCli vYhXHatPqUeRNcG9WYO9Kd1L353O0fE= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [IPv6:2a00:17d8:100::8b1]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 04E4583E50 for ; Sat, 27 Jan 2024 13:49:40 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=Q3yG7mI/zcDxaNDPEG7RPnfF3S9d9zQerFJPwks9udxHj8EgUfc4VMWBLx18yUesOOxWC3 VkGzLcYR4gcDQ7HczlPjfpOErHiZFylljGY3dD9YnPR5tYhj17cOWIbVyIUbsiiI+4o4l/ b23WIkyDs9yTmqkMMoTKxsCOVRQMhCQ= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359781; a=rsa-sha256; cv=none; b=W8QzE6atGcdxzmD1nLUdgksmtE3+o5YxxYLAQ/oFZNhuKJXtpAKreJwLH5UoICG7VTjZS3 RAo5CjOm+zdccTRgLVPvEBl08UC/LI86pcJiEok1OnR8ycWA4+QBmBo3kWbMVUVx8Y/llu ltSDVo2wiT5k1AoQm3SV2jCJ/aiUwkk= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b="cf/yYAyn"; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 2a00:17d8:100::8b1 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=cf/yYAyndzX6B/zAGFG00Od/mR/oPCsXb7D9UzZQt3ZqyDv01zrskmOGskLyNrvLxcJMX5 hixJnjRLhhb2pzxAZehGa8NQYObG7xeYL+crK8OBMhnqRkAeJziz/bomVVeOzDc3TzItmF yfUWZ07Vg1d1m2fwnEd5IcJ6WEcAX6M= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:01 +0100 Subject: [PATCH 3/6] batctl: tcpdump: Fix IPv4 header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-3-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1140; i=sven@narfation.org; h=from:subject:message-id; bh=B98DKAqnawGRxlS+ETWC9dWxg0rcjAfykx17Tn9ZJn4=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvh/mqx+FT8svm2arQpsYw2UlLf+fZX6VL/J 50ht/W3ze6JAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74QAKCRBdhwoHwSZ7 RrroD/93bmkWz3BUWHoxgPY6r0nDK2ld20OsSyJne7tqSwJU5yzhx2gh+QRzDfFy4Wmlxf/j9kT 8aTzKjupYn9e1mDrI90TeEiaj1Y77e5iH/vmhBjF2LlQkHWvLU2gGCk2PfAMA0mgxi5VCmA/5aE ghqhG0taHZA01Evtmy50uYei/UGF+vt8UG28PAXgb0w+TkH1xrmiiAVsIquF+yNzeJZt7dUceO3 0kUHT0sELGfz0MK3fKmnN73kci/opxTL+747IxKyUP4+Rn4sm00WS7yPj+j5ap62cf6J0B2miRO PgB4ZhPRjYYNwehcnuR3QX9UhHmxev4VS9q2+y0/csjcZ43RjtFTagLq3wTaEnY1nmF0dlnTe4f NGrcUirIhMA4YEeyMcIeew1YiOqueVZUX78i60QYiqaydA8ZqkuhX8L2SykpeHs+8uwd7WggnLF 9gxgSumIVEHYG+ha8cRyZL+lmFd1VPlAUMtFfpx7vB0fSJpMrWg9Q6nmV+nyGII8AGAAgO1hT5z Ml77/f+xnCWC55/o/WT0+30ED4PpuAF0nCqEbUlCRxbzBqflrmkTwLIdPgwUkd9EMyWH0R2Ci51 D5zkG6rs+hUHyF7HliDTd5xjOQVHPoasI1OTbs4vc9nK/SDTyTRDili2M0I+t1rl5CarnfLONoO bE9GX/zQE2TsyNw== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: HRSOXCCT7SUNRFYGQQ32DGM3TDBVRORM X-Message-ID-Hash: HRSOXCCT7SUNRFYGQQ32DGM3TDBVRORM X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ip() is directly accessing the header in the header length check and assumes that ihl can be trusted. But when when ihl is set to something less than 5 then it would not even be possible to store the basic IPv4 header in it. But dump_ip would have still accepted it because it didn't check if there are at least enough bytes available to read the basic IPv4 header. So it is possible that it tries to read outside of the received data. Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tcpdump.c b/tcpdump.c index 9bb4b9e..3fdd7c3 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -694,7 +694,9 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, struct icmphdr *icmphdr; iphdr = (struct iphdr *)packet_buff; + LEN_CHECK((size_t)buff_len, sizeof(*iphdr), ip_string); LEN_CHECK((size_t)buff_len, (size_t)(iphdr->ihl * 4), ip_string); + LEN_CHECK((size_t)(iphdr->ihl * 4), sizeof(*iphdr), ip_string); if (!time_printed) print_time();