From patchwork Sat Jan 27 12:49:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18625 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id DF9EE841C2 for ; Sat, 27 Jan 2024 13:54:17 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706360057; b=uUNFsv1qW79Z9yiV3mE24Iz5bP5aH993Ngh4TCFlfvKLBoovyLWieEexgOXvkxJn4trMP PqczBEh/doafeGV2hgjQXTpvmwnbHI4YTkL3Q/K0HFJmdlpdzJG98DdP2UQemqTBLuLnlcy jkkyIwQTWtiMS3nuGbLkLywk8aWfJpg= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706360057; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=yYEIpzSpjakyHXf9F1kgTBYb5WTHcdMp5h0N5ewfdEZFcSuO2zHhk5U7a4DV4KjAJjGKD vElhI13gkFXW1YmzP39MCkFAT+7tASoxvt/xtGr7AMNX9Q1DDojiI51pFEFGFCW6pYYeeFs ehdIBgUBISjo9N4N9gjFG5/5O1KnK60= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 8BE1883E6F for ; Sat, 27 Jan 2024 13:49:42 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=dS6CKPb6XWqL8erMUkiNEJKbBKTZdZ7puw3RSNsQl5/NC0MDPAQYE4mrIzybYIOoLGnhSl d1WkzrX01Koc0SfHcFnd8FjN3dJTG9blcNt7zO+/XnkBPdmn/dFyC6J1VX56w9XKiMcOwx xjv76HPzcpfV78IUKNYog/uxoiXQdSA= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359782; a=rsa-sha256; cv=none; b=YwRimu4elXOJhwO1tFHeaJq/F1D8GU8tE4TRxLxl/3Zv9qwCO+40SWwia1vEbZZ4pSzN7r 2TUlH/jbULD68kn56ahga/p60bjBim2fReEhFzSpMstM9Btg7sm8A9XL4hAPsbQ2iJ9L1f UgaplPi1j/VqJuYYHXgqjLykWPacWeI= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b="f/flL2y2"; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=f/flL2y2/0i/J7aFsbruIQh6nTJUWH+x8o9zQdR9yYsFdqfxWhh9n4mUjvuHlUVJAENwsL C6E7gqiLEVd5QejXwMzwlKYDqrvIeVuCGfcaQZBJ9/31AoScgjKkjpc2Z89iAqpSDFy/Ot HFOpUotYDLGPkk8NiI0LnoTWQblV9kM= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:04 +0100 Subject: [PATCH 6/6] batctl: tcpdump: Fix ICMPv4 inner IPv4 header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-6-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1895; i=sven@narfation.org; h=from:subject:message-id; bh=gmzOh0dnTIBpHz2s9fHke3/y3973kMD3xriE6HPSScc=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvilNM1O/6uNnRUSYIepWDzyM96MviPBk8MW aDtVPzoVxyJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74gAKCRBdhwoHwSZ7 RhdnD/wLIjFQsd36EAJJeGP97uYRXlSr9iXtG3swC+17IUMUR5FtjHHWrviMCB1bFvhGg7St4ik FcisgPgfb15Xk5z23WgXaGva7LnI9OQAoQD6L+a+IGXJyPujHGpHxt0T5SOqE8VUHLD861gZg52 8tQ6fDHBkaFynzNbEJTdl6RT9Vu+4I6AZt2cZarIjTwaOQnLrWklkS2maV1tTDKyLiXN0eaHRL9 jxgBp41Kmwi1jAwSlg95zNSWFDXErLqre8n7UKSQL+7Xip+VNxMCPharUj8Kj6kv9a5YaoBY/Te sSv8R1qkph/n8KlXHziLTyhLyE9L5y3iRQ6uVxG6TTPeYSdjpL1JNbksJsI0v4veeGatyBU9IWr H/Ebeqd9eo3otzxsD0NmoLY7WUB3ueaiOJXUmYfL8Oa8R+pi9uVkmV515/P2UwM5KZCHoMJ2p8j b1K5/rXZP5he18KN7UR7W3JGGsUMKQgDuqzTlJ08MrJmvENV6VRGZnYIlWjlFvYrUIKL+OFwsqY dwyj4o6xCDO9bIHxeum1l3utWoBUVgFgJSM1kcSknS+dRC7c8zhxAcMDwpv4/yoXIipnHzRyvE4 vsAdpXuoVtkCsVh42nWYjaSA864ifTFjVKwU/ABA9cJTb9B53JnEHJfvvg0sDztWsyzAR7yGFKC Y5rD+KCCnuqiHvQ== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: LYS5SRWWYCMCISYJB4OTDU6GKGSCOZHT X-Message-ID-Hash: LYS5SRWWYCMCISYJB4OTDU6GKGSCOZHT X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ip() is doing a length check for the inner (inside ICMP) IPv4 header length. But it is just assuming that the inner ICMPv4 header has ihl set to 5 - without actually checking for this. The more complex IPv4 header length check for the outer IPv4 header is missing before it tries to access the UDP header using the inner ihl IPv4 header length information. So it is possible that it tries to read outside of the received data. Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tcpdump.c b/tcpdump.c index c253755..c6aca27 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -730,12 +730,20 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - (iphdr->ihl * 4)); break; case ICMP_DEST_UNREACH: - LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), - sizeof(struct iphdr) + 8, "ICMP DEST_UNREACH"); - switch (icmphdr->code) { case ICMP_PORT_UNREACH: + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + sizeof(struct iphdr), "ICMP DEST_UNREACH"); + + /* validate inner IP header information */ tmp_iphdr = (struct iphdr *)(((char *)icmphdr) + sizeof(struct icmphdr)); + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + (size_t)(tmp_iphdr->ihl * 4), "ICMP DEST_UNREACH"); + LEN_CHECK((size_t)(tmp_iphdr->ihl * 4), sizeof(*iphdr), "ICMP DEST_UNREACH"); + + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr) - (tmp_iphdr->ihl * 4), + sizeof(*tmp_udphdr), "ICMP DEST_UNREACH"); + tmp_udphdr = (struct udphdr *)(((char *)tmp_iphdr) + (tmp_iphdr->ihl * 4)); printf("%s: ICMP ", ipdst);