From patchwork Sat Jan 27 12:48:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18620 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id 77B4383F43 for ; Sat, 27 Jan 2024 13:50:59 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359859; b=3vmTb4yeVhv5nXylT6fVwrflLtk1jZjdXI+b2pRYLHF3IamDfakiRJ+kbwCsKnmj2Uf+r lBC5H4+NzENs2W0yZjz7Zk/WYHczQCAW6BfotgsRDJRWLV3cLmdoQm0Wlx6uwzDuHdvsisa PxkZvqMh+Vu/Q706azHQ5Mowi6GrIXQ= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359859; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=wSzVySyj5MVrQa+9NIfLshrjnwM1U+vSVnOLsdIn64k=; b=o/uX17Mq05Fq2JKupCQAcRd5sy8cYwT8KEV+YUHSgQtI9RnzsLya3tiIvusowmT+5mXi8 lpKxIqK62fLDYimo8XmXCQHtoCPyRBTCWdv0Z+eLH0bdXgTt96ibPtyPvTs+F1xe011DLGB Fr6XiuETa2Xb4uh06m1zJ739+UG64YI= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 3135B83E50 for ; Sat, 27 Jan 2024 13:49:40 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wSzVySyj5MVrQa+9NIfLshrjnwM1U+vSVnOLsdIn64k=; b=2jeczrjsl+Lqm8aVyvbtOwYEHbpXc7+n7iBlqfkMEFVA4sZjnMci1dHMubRBD5hfQdJilz TJ9HXHkHkuABb0Yz5CfRdlDk6/5yqi3lwxblKZEPq6aAxKmcP6YE7EHn3AumGdO+8bwDh0 dX2R0YStFPzBqgeQ9oZsiIJpE8viyS8= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359780; a=rsa-sha256; cv=none; b=AHHNHd/h3l6rMYgmqfuVOmyhWCDtowlYa9sQkM1vGn9DuH/sS3/OXy5Tb0VVmAe3+Bv8Rr MhLtlCO286pzqKSifK2cMj2Hfan8l6hp8wIJIr4USGwb3ZfMC2hAv81QjnREyycA3d6zQm B7ZhS3En7p0MLyaUonZYVQR1iIenzf8= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b="0NfnSFR/"; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wSzVySyj5MVrQa+9NIfLshrjnwM1U+vSVnOLsdIn64k=; b=0NfnSFR/X3nVLYIm8F8EDm/0EScvt0mHdYjR30SRtfieSX2grNMe69hAjeAMv+fVTa5NSN ja/ScoMR4tvm/n8/qPFsRu7EwzzKZ+DsCqdgZrHCujkrabZ0i+HST2zSOkRzdNm6EbZg/w HN3q6vEOopq2rhujQsndHFa45GpEMCE= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:48:59 +0100 Subject: [PATCH 1/6] batctl: tcpdump: Fix missing sanity check for batman-adv header MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-1-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1080; i=sven@narfation.org; h=from:subject:message-id; bh=tm0dZarkFxcq5htLQkTqldU8iV5feDLHFN35pR4XHYI=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvg0Bx/jGJwk+Ho4iDqJC/7RABs6ZH9em6ce eq5OwUkwriJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74AAKCRBdhwoHwSZ7 RtqED/oDhyhBJjOV8536EyCrYQTuhwQ8AQq6ctC0BmcMOehYbF0SDtvX5nHJqTkdPNMghctjcm2 8N//5jTR0VeX9zXuNYFiBMHcZBNtVnxsBupR9fTzK5xSWYO9BGmcNRpeRPbF6EDQEZKhq7hH1zl A77xRs+IfOEMthnFYUIDcSyZcV0RMZ0C0TXyoHWYBTIua4y1hEdCIQACwVyPfGbtztZIbYncKtg o/faNKV+aBKNNWQkHqh7rFSMAepGvke7dPR9igvBEq/hG/UvNJnhfc5GDFKrvZgtMs4yXp/wZjv U/63o7RbmhiwSBE9hJGD8IFWf431ClUlBaDnTy3lgAMVABoZl6p99Q8x+iZN/Ed52avjVQR2vVF mdPqT4hwbnABukkuGEU4eDdMow2/sO4mnPA9FlHJIw//Tk8Em1QTQH1/oftU065Homrgmxv6cK0 Rchf4AGWOoCzC0apC+X8NLLwfhesUVlOfu0jGoJs03nA7o2YAGIvlP+w/7Z3SJJFHi2BNKyhs1E 9nzQIOPSglgXsUDeeoX1GR4u5n85Y3QIqpVNK0RRk7cY3BqrMlCpZfAPmv6NSvLJlFRuwlKFYef yAQO+md17SVbzSpYegVOGGZIUu2crP8/AYS6CZTYdfsXnIF43udd3PT9oLE4RdelEAnIo2Ki2tO GSCmfLPqdKCMq+g== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: LH7SFYHMKXFO6PM4MMBFL3Z2GVQPGFG6 X-Message-ID-Hash: LH7SFYHMKXFO6PM4MMBFL3Z2GVQPGFG6 X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: parse_eth_hdr() is assuming that every ETH_P_BATMAN ethernet packet has a valid, minimal batman-adv header (packet_type, version, ttl) attached. But it doesn't actually check if the received buffer has enough bytes to access the two bytes packet_type + version. So it is possible that it tries to read outside of the received data. Fixes: 3bdfc388e74b ("implement simple tcpdump, first only batman packets") Signed-off-by: Sven Eckelmann --- tcpdump.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tcpdump.c b/tcpdump.c index d340af9..d15c32e 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -1167,6 +1167,9 @@ static void parse_eth_hdr(unsigned char *packet_buff, ssize_t buff_len, int read dump_vlan(packet_buff, buff_len, read_opt, time_printed); break; case ETH_P_BATMAN: + /* check for batman-adv packet_type + version */ + LEN_CHECK(buff_len, sizeof(*eth_hdr) + 2, "BAT HEADER") + batman_ogm_packet = (struct batadv_ogm_packet *)(packet_buff + ETH_HLEN); if ((read_opt & COMPAT_FILTER) && From patchwork Sat Jan 27 12:49:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18621 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id C5A0383FAA for ; Sat, 27 Jan 2024 13:51:38 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359898; b=lZrwnTn18BPD2zXYVNCvW1Mi1AfTv6jdQO26ZgJ/jqZNT9qh6x/miiwL0NZVa7AVwm26j wMoeoCMxMzBd5ObNY5jynJLvEYaQntKEhW4cblCTO7xAAeQY7HiW7q6tmYQwyPLVU7JTHPi /lFecLX8Oy1CJj7nQ73OQFVMNFp0MLw= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359898; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=LILrMaUEWtD9kbHsrMcmIlb7ajeVcFOXmw/FusYz8gCFyfrn9+Co1rc7vflbAqCyjKDxN /ArIrZDCKfLUApq0TwM3Bw47GgNyh9b0D9bSiSRdOXpbKN7Cmf0lW5XTXkm+PoLrhiPp7Xx D4Kz+M0dIzJTOc2qSoTNi7ihKjVL8fk= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 9493E83E50 for ; Sat, 27 Jan 2024 13:49:40 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=jtU8Yj7lzNK/cz8YNzsNcMs/eVPP8cDFdebAdrkYqC5lGAvAXrQfz5XiqGy9CHrrSReOVI hXLINVEYOr9CxkwUiicSkkdIsIJd43eH3ksqgTNp6YDNP3u0QMidYjJALpd35EIV/7UIxb ylRV+XxlRjZrO74nj8f8C1ik9zIzERo= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359780; a=rsa-sha256; cv=none; b=X8eEeHW3HQyyoV76fcz1285toUSL2xFUr1viAIMtjb0FEY99fSNK7rzZgpzu8J/33WYOjB 8fmUiD/gqpTtKwwB1PyuJ7hv8h9H0x4+A5C6JWFSUB3AaX3vbRqt6lvHBJ8+p1rle79yBj c00M54ryrDH6k3mBDWDL6iQXHpbiPVY= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b=kTh+VrRC; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VEKUmSptcAFbw63kMDxylosb6Nfy3BC46rmfCgFDenI=; b=kTh+VrRCyxtwLvZ11Tl+vGObNtsHMFsSM9072vWX/GmsnPI/weqa9P8Kx5H7tWNv7ZaB9/ kCeNEbgS9Gq/S/2kpCS8X1gUfRf/B7XJmXwz+WhW5d+99cspTBROLxTJZaEnxJpDGe2iiJ VqkhdlwJLjWP0pYEBsFPqRHvvKZcDTA= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:00 +0100 Subject: [PATCH 2/6] batctl: tcpdump: Add missing throughput header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-2-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1529; i=sven@narfation.org; h=from:subject:message-id; bh=7wrGpjc1T1ftj6xlo9ovUP1bb+CCPI4G3XrkPhbuRoc=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvg3nRz4JX6GrZpFb2Rig/WIc/KKYh60LpMH Kp8txXKLlyJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74AAKCRBdhwoHwSZ7 RqOOD/4gXGXxuxH0bvQIvvt1g55kEEmSYGMeE3j5DL5ldlu06+3W/Fpy6FCd/iiAkQI8ciEpOKD OaZ9gBSyamQwNiadjyLPX2MxY3PNPX1sDnOtaRZYIyXwazAvWpVth++nhNpGzizL5yJa3cTGZ+5 ag4wFQeoi4/VqKF12IcBOL+adC2el4SlCi869bLCk9VEpqdvWmPIGvYfgNWf3EiZ+sGAiOn8/HH OXVvEoMBmxj7m96ceahyvQc1gYgWaY7HEMVKWAOKyJtbk0NTEjaZzbWjBZIRqNzoibGM5clqKKU msh0OcQKUdhYDajtf05fLyKt2XD7c2LEnnYZi3y2DEtypeQgFXuH61i6Z4aaPwQwya8kTQ2/mQB Rteu6BqkB7DpqZw3YYAVqjafdbkbiMy5lwkVfxS0zHubz7217SWdeW0OHeIYcYM/2c23h8b2Zxm tCbTYyVyDTRo7hygVTJ9he5IT7R3L2RgbZsgp6XfDSaLZv4kdg1VpJuubzK/vHsHVrfNVfgaFwa mpVhznunPB6UKvl2q19mwsUAKL74FUuOAuiNUZYiYsBdCK4IHAtg7pJtkgwTj6keDnPvHl9Qy8d O4wB/mOsT3xsSoP+q1MSIigwjdsDX0STo47WL1WyM88fJVDQWeZV+/Ud4jRMrVBnytr65WZJYEK 0nxDG400bfnVRHQ== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: JBSX6CDCJSYXKYSIM4YAICYHBOQRYNTS X-Message-ID-Hash: JBSX6CDCJSYXKYSIM4YAICYHBOQRYNTS X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_batman_icmp() is only doing a length check for the original ICMP packet length. But the throughput packet (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data. Fixes: f109b3473f86 ("batctl: introduce throughput meter support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tcpdump.c b/tcpdump.c index d15c32e..9bb4b9e 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -911,7 +911,6 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(struct batadv_icmp_packet), "BAT ICMP"); icmp_packet = (struct batadv_icmp_packet *)(packet_buff + sizeof(struct ether_header)); - tp = (struct batadv_icmp_tp_packet *)icmp_packet; if (!time_printed) print_time(); @@ -942,6 +941,10 @@ static void dump_batman_icmp(unsigned char *packet_buff, ssize_t buff_len, int r (size_t)buff_len - sizeof(struct ether_header)); break; case BATADV_TP: + LEN_CHECK((size_t)buff_len - sizeof(struct ether_header), sizeof(*tp), "BAT TP"); + + tp = (struct batadv_icmp_tp_packet *)icmp_packet; + printf("%s: ICMP TP type %s (%hhu), id %hhu, seq %u, ttl %2d, v %d, length %zu\n", name, tp->subtype == BATADV_TP_MSG ? "MSG" : tp->subtype == BATADV_TP_ACK ? "ACK" : "N/A", From patchwork Sat Jan 27 12:49:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18622 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id DFA8583FF9 for ; Sat, 27 Jan 2024 13:52:17 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359937; b=Ex9Iphk0533mfQict7jfGVwYGZNiH4aG9Bm0JqRWmlxgYg5Q3b3Wky1e3qe+IfE16HOc9 VlptyFskkg1Dw+HC/XZB66jwVp8FqOXXrT7eJ9sR957YaiPITpkiHn3SJtPWVoWWDW3kkQD xH9W5Y/nLklSme5Xto74v0FA3Vl9QCM= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359937; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=PqERmNfzD6wDUlqN/BeEuvPf+2kV/CyG1240r7tCrt63ZvhKHRt/gZNaJZyzo8fK7S+Rw AZ8xLjbSyVlh6KhPWTQ6+PO/bOVlsFErFcCqSPpdpIIYM9jYMvvd/LaJ/0Of2axXRH7YCli vYhXHatPqUeRNcG9WYO9Kd1L353O0fE= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [IPv6:2a00:17d8:100::8b1]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 04E4583E50 for ; Sat, 27 Jan 2024 13:49:40 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=Q3yG7mI/zcDxaNDPEG7RPnfF3S9d9zQerFJPwks9udxHj8EgUfc4VMWBLx18yUesOOxWC3 VkGzLcYR4gcDQ7HczlPjfpOErHiZFylljGY3dD9YnPR5tYhj17cOWIbVyIUbsiiI+4o4l/ b23WIkyDs9yTmqkMMoTKxsCOVRQMhCQ= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359781; a=rsa-sha256; cv=none; b=W8QzE6atGcdxzmD1nLUdgksmtE3+o5YxxYLAQ/oFZNhuKJXtpAKreJwLH5UoICG7VTjZS3 RAo5CjOm+zdccTRgLVPvEBl08UC/LI86pcJiEok1OnR8ycWA4+QBmBo3kWbMVUVx8Y/llu ltSDVo2wiT5k1AoQm3SV2jCJ/aiUwkk= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b="cf/yYAyn"; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 2a00:17d8:100::8b1 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lKbzh0HYhx673USzsx2jXNg08b/xV+LZN0cXoP4TYhU=; b=cf/yYAyndzX6B/zAGFG00Od/mR/oPCsXb7D9UzZQt3ZqyDv01zrskmOGskLyNrvLxcJMX5 hixJnjRLhhb2pzxAZehGa8NQYObG7xeYL+crK8OBMhnqRkAeJziz/bomVVeOzDc3TzItmF yfUWZ07Vg1d1m2fwnEd5IcJ6WEcAX6M= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:01 +0100 Subject: [PATCH 3/6] batctl: tcpdump: Fix IPv4 header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-3-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1140; i=sven@narfation.org; h=from:subject:message-id; bh=B98DKAqnawGRxlS+ETWC9dWxg0rcjAfykx17Tn9ZJn4=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvh/mqx+FT8svm2arQpsYw2UlLf+fZX6VL/J 50ht/W3ze6JAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74QAKCRBdhwoHwSZ7 RrroD/93bmkWz3BUWHoxgPY6r0nDK2ld20OsSyJne7tqSwJU5yzhx2gh+QRzDfFy4Wmlxf/j9kT 8aTzKjupYn9e1mDrI90TeEiaj1Y77e5iH/vmhBjF2LlQkHWvLU2gGCk2PfAMA0mgxi5VCmA/5aE ghqhG0taHZA01Evtmy50uYei/UGF+vt8UG28PAXgb0w+TkH1xrmiiAVsIquF+yNzeJZt7dUceO3 0kUHT0sELGfz0MK3fKmnN73kci/opxTL+747IxKyUP4+Rn4sm00WS7yPj+j5ap62cf6J0B2miRO PgB4ZhPRjYYNwehcnuR3QX9UhHmxev4VS9q2+y0/csjcZ43RjtFTagLq3wTaEnY1nmF0dlnTe4f NGrcUirIhMA4YEeyMcIeew1YiOqueVZUX78i60QYiqaydA8ZqkuhX8L2SykpeHs+8uwd7WggnLF 9gxgSumIVEHYG+ha8cRyZL+lmFd1VPlAUMtFfpx7vB0fSJpMrWg9Q6nmV+nyGII8AGAAgO1hT5z Ml77/f+xnCWC55/o/WT0+30ED4PpuAF0nCqEbUlCRxbzBqflrmkTwLIdPgwUkd9EMyWH0R2Ci51 D5zkG6rs+hUHyF7HliDTd5xjOQVHPoasI1OTbs4vc9nK/SDTyTRDili2M0I+t1rl5CarnfLONoO bE9GX/zQE2TsyNw== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: HRSOXCCT7SUNRFYGQQ32DGM3TDBVRORM X-Message-ID-Hash: HRSOXCCT7SUNRFYGQQ32DGM3TDBVRORM X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ip() is directly accessing the header in the header length check and assumes that ihl can be trusted. But when when ihl is set to something less than 5 then it would not even be possible to store the basic IPv4 header in it. But dump_ip would have still accepted it because it didn't check if there are at least enough bytes available to read the basic IPv4 header. So it is possible that it tries to read outside of the received data. Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tcpdump.c b/tcpdump.c index 9bb4b9e..3fdd7c3 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -694,7 +694,9 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, struct icmphdr *icmphdr; iphdr = (struct iphdr *)packet_buff; + LEN_CHECK((size_t)buff_len, sizeof(*iphdr), ip_string); LEN_CHECK((size_t)buff_len, (size_t)(iphdr->ihl * 4), ip_string); + LEN_CHECK((size_t)(iphdr->ihl * 4), sizeof(*iphdr), ip_string); if (!time_printed) print_time(); From patchwork Sat Jan 27 12:49:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18623 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id 2A51183F3C for ; Sat, 27 Jan 2024 13:52:59 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706359979; b=QMvMR1ncJ3bJ4pCeYuTUYmRKr9dLlLNbFcOC5eHGVy7dEfUGzgf8C3Ml3e8VaNTGS0Ism kIJkNuIHdGtYCzPTUbuPQcWavWPXEv/HV3boNEFhXMkPDEVCbR9kzBXk4vA6V6JOnRb7Jj9 DEAfGPFuUgRtkYuhlDv6zCWmFj1zf98= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359979; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=MlZqupngQ4hOf43zDc8rcYPDe1chXjmjhx93knF68kg=; b=f2v8TGeVLsFHGVsgThGOlmKfG6dVt08/D1WwWlqztu4zbGMYGuUFXfEAsmBdwyqyIe/q4 EL/7y6NHoEepVvfKAjwtowDXJbjCQCtjxKWRTQ6EEDYX1ved/wvDNhAbeuppCqaAbucWTgy q+LES1vDdtYorfX/mY8XTolEA7eE8PQ= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [IPv6:2a00:17d8:100::8b1]) by diktynna.open-mesh.org (Postfix) with ESMTPS id A208983E5A for ; Sat, 27 Jan 2024 13:49:41 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MlZqupngQ4hOf43zDc8rcYPDe1chXjmjhx93knF68kg=; b=pcHlext+b2/Yn0aw5k4lhax+Tc5E9z4NlOTglA97HRQSBEyIFqgJvlBAxA5nobKRigTHLh Y4jgxRHJ2QyWfwFJWbSgfYZqSGg08wgj0GhH+8TO+TnipjRh6F2wnJu6XaIrKU9vuFjEMe NNZSbfe4uQCxKAxIfTzsen+WOR8/Pok= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359781; a=rsa-sha256; cv=none; b=UoixlkKzIrQuima3+FQYzCAcd6xYJBzh2bHuaBFwgjx+7iiN7zGLnmVDGDpfjJpDCUGjam 9OCvsBYt6kV9+ZKLOftHTUsGRytRvn8GEJK8p+1f7t/zDEFmy1I6TC7whQRGPPSmaEz6pG sj4lFvGBNQ9s+lGqMP4o5FfG4JqyyXs= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b=VrgzfNZj; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 2a00:17d8:100::8b1 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MlZqupngQ4hOf43zDc8rcYPDe1chXjmjhx93knF68kg=; b=VrgzfNZjYjvLpsNgZYZUL1DJlYfcep8sDSjukSvJxv0CehrzipzgN0D0QGFmr4N9eFt0il q5zPh4CrzgmLQhCnjj8hI5CzEqrI5E8RBTlfZRxLTQEwQ0tu7xjpGKDZjIZ3IxvBIupry/ f5ZRgmUm/3kOJbaWG7Q5Lb0KQXZO0LU= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:02 +0100 Subject: [PATCH 4/6] batctl: tcpdump: Add missing ICMPv6 Neighbor Advert length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-4-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann , Marco Dalla Torre X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1048; i=sven@narfation.org; h=from:subject:message-id; bh=0ZS/GXQW9dlNRdAikwA5/iE+EDw6xDBEk5pQNVzuES8=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvhSIGU+W1IxzNH7aoF4hWdZLSxpLEfeJBBE 0ZYFfRNr2+JAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74QAKCRBdhwoHwSZ7 RtfpD/4u4aD+z3E0A1e5eP0aRK30o7+vJLkr65lLB5VyrbGEUNBqpLdjdfDTeRJQC8PdgPljrKT m1cx0m/4wKmEJHEK3miOq6RcKN0ChLS5jjbj0UQWd0SacdSIRqzY+1JdgZu2Xj/vAJVCe1F3Mi4 JNp/JVIkhLfquJDQ/9wXP3uNj1gA17h1726XSjc3N+7GME8aoB5jo3wGpPbkdiTI+nhIiuezh93 m11+8sucooKR2IovsxPXpFa/02NHuxDQmXXnbu6kdGtGn6fDT4yLaarM0jkLc8wknWL6qYq3FAG /MxO60Wafp2INirzGX0vkJwHsE5rOpOuu4ZDM8mknnmgSW/CgK3ilyA7wTaxd8h7fNOuwhZ20k/ QGP+Lp6MoOiuwjDpTMrr2HWyYzhAoW1WHT7jMApU9Q5lJSGB+lyHOcRVlP19MzUZrZ+VTHB4ar0 dy9RXc1RA+bC+40kV3vTD/PgkMA3eiwwno7BwDcr3KVTYrLTt2myVWYrrGv6Sga6wa8h6Y01RRI OeiD9RjrcV96zliRKHwBQsg/u/aI8gcyh4Rjp7mgyZhCkKgi3GWpxXStTLCB1RV6Anex5pBo4kJ r7moqijq8M7FfRUtgXbnJuDyI9oaW/ZJkm5x0mq2TaKc136Uutj4pNN4N/iih3rNd8Guhe85fp9 8W4ovDnE6LAhgdw== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: HZ2HNZZUZWZQ4MOBJ3CMCWACQJNYXGQA X-Message-ID-Hash: HZ2HNZZUZWZQ4MOBJ3CMCWACQJNYXGQA X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ipv6() is doing a length check for the original ICMPv6 header length. But the neighbor advertisement (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data. Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") Cc: Marco Dalla Torre Signed-off-by: Sven Eckelmann --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tcpdump.c b/tcpdump.c index 3fdd7c3..2ae3909 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -659,6 +659,8 @@ static void dump_ipv6(unsigned char *packet_buff, ssize_t buff_len, nd_nas_target, buff_len); break; case ND_NEIGHBOR_ADVERT: + LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), + sizeof(*nd_advert), "ICMPv6 Neighbor Advertisement"); nd_advert = (struct nd_neighbor_advert *)icmphdr; inet_ntop(AF_INET6, &(nd_advert->nd_na_target), nd_nas_target, 40); From patchwork Sat Jan 27 12:49:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18624 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id 6168E83FB4 for ; Sat, 27 Jan 2024 13:53:38 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706360018; b=mh5bLeDAdrLH9QEfDgjrE2ysmy4CmeunmLE/A3L0HbhAT/NPFBDE0lvPhBUVkhm0JqCKd 2Mcbw/8n6UvH9olx4N7YhXb4A6uTV+LFU+S2m5nSK/Bh91ZFAe/AQ5Wiie26ujI8m0GTr+q D1nEPYATmN7EcuH4pSXGha17cCfOiCI= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706360018; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=UtlVVIBjOyaz/zwofisz1CbBdPe+cnIjnq9cGan2Wv4=; b=IcbHT5cG/C46LKIwCF+fCeT2ZnFTq6MzaIjT8Ah8rCTZL7UW1okTT23rjoQCv95lzoHnN K1fyDWbJaQUisozj7iU7ytfxn7jkYUb2i2Gde7gL9rJx4U3z3rO6AdZNmesBG8H76bFZVEL UX8ivCZTmlI9ktwda5WWOkIR84fECPU= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 35C3D83E6D for ; Sat, 27 Jan 2024 13:49:42 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UtlVVIBjOyaz/zwofisz1CbBdPe+cnIjnq9cGan2Wv4=; b=26BEhnc/YDkVpYcpuVLOzWxBd7SF+dE4KIM27uKB1UqA+ujMjZo5yRuvMgBBg4jJLjmIwQ aGu4CrXzVRQ4Ac7y4pQ4/Qv/AO4sdL6ygORByj0a7189LOxXON6xpGWF9/TDwV+5ZWWDOJ 9BPmeMTOVjZa//LtxssH+fhYVwrYryQ= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359782; a=rsa-sha256; cv=none; b=3hqIYeXpytFiWVYeQRmywc1uD2fQdQVcpG06XwghpE++61+7dFXqVBlPa0y+Ew24skrbxq 6M4LhxMJkssTEp5IbynOj6whWLG18HCv+oErjUoL3kwuo66yFYDCRvJep7d0+Yqe5Dvqfe hU+O89ftmhPwUqvrtgIyZoeukUW78Z8= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b=zh+7ICPs; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UtlVVIBjOyaz/zwofisz1CbBdPe+cnIjnq9cGan2Wv4=; b=zh+7ICPsB51Km+rUlskuwNrIHa3TSsPailY/YzA6jn3U3dqE/VjSQK4HQ4vGhFJyDes0+s /cuT57TKzY4H/rGIyEicKwGLNX9h71z9umGC80Vy3gzqjZ1q4e7vVpRASW+tIwO/K3N5M/ Ov4m9tFtbmPoqrXRPK0GbrgDTRjL7UE= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:03 +0100 Subject: [PATCH 5/6] batctl: tcpdump: Add missing ICMPv6 Neighbor Solicit length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-5-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann , Marco Dalla Torre X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1077; i=sven@narfation.org; h=from:subject:message-id; bh=G/U1H+Rg1xLdnGXamIZwhWPkTTGXJR271zLbL2RH0t4=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvhwxbSGBUZDDvPGiAa1MmXcpEOaoL6t/9GT Xd3T0rpfACJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74QAKCRBdhwoHwSZ7 RkbHD/9YtGwDSkIH2VLxpb/2A5pU2gt13dbIaSqwNwiSsl5uoyiPxP9QwQmUoAbF75MvHPPgbTU J3u1l0p0QiTd1+VIeaM6DOlr0g1/M2/pWAiJM2KjbcKM2jg1D8hnNJrNn+a0ft5oN2zsYlGBRT9 XTyn/pOp0dyhkTdsOkp50bMvCdl5x5+5bO8pKEVDW5P/ivyaEeGTHWJb5ciLBeq35dLeeFS7zWf zh9aThcSgwtd6odbcCWrr08OCpZWBO/vOSHMrFMrtgLXjL0jvcfRx1CIvjB05Nza1dIC258iYev EVeCiXy14hYKgn0a/M175Pfz0wGHBqOpaY5QCtISsS9PTZRE7pljutr96DMIH/8saiLzbCi6RoE gyo6yPP5+CuEb+QkSLlqOzymzU8+dfHggp5Io2puiwH3qfod5EySa3AALxSc9HKWespi8UTDCyQ D+POQX0VFtgXBOJ5VGPwzHx/zsp3mIcSrEcew3419FOAgd4SUA3aud89Lpk+sBHD5dTWOm8FYKG Xa0oK5eLW2xaMV8NvzkVlS6aVwu8IoZ15yitDYf6SF6xVfH93OQajl3fvCIjnjD/ezSJYkX5BJz fUIFFeblQLDrBJ938Pumw7ytZTHhkaTQiIzsv1cnGTDteLa018P0WhbxuE/6SK/69WU6r4V0E21 JgSD8m6uo//zRDg== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: 5JUZGB27ZTH2JV644VZZANGURBYCZJ4C X-Message-ID-Hash: 5JUZGB27ZTH2JV644VZZANGURBYCZJ4C X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ipv6() is doing a length check for the original ICMPv6 header length. But the neighbor solicitation (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data. Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") Cc: Marco Dalla Torre Signed-off-by: Sven Eckelmann --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tcpdump.c b/tcpdump.c index 2ae3909..c253755 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -652,6 +652,8 @@ static void dump_ipv6(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - sizeof(struct icmp6_hdr)); break; case ND_NEIGHBOR_SOLICIT: + LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), + sizeof(*nd_neigh_sol), "ICMPv6 Neighbor Solicitation"); nd_neigh_sol = (struct nd_neighbor_solicit *)icmphdr; inet_ntop(AF_INET6, &(nd_neigh_sol->nd_ns_target), nd_nas_target, 40); From patchwork Sat Jan 27 12:49:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 18625 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id DF9EE841C2 for ; Sat, 27 Jan 2024 13:54:17 +0100 (CET) ARC-Seal: i=2; cv=pass; a=rsa-sha256; d=open-mesh.org; s=20121; t=1706360057; b=uUNFsv1qW79Z9yiV3mE24Iz5bP5aH993Ngh4TCFlfvKLBoovyLWieEexgOXvkxJn4trMP PqczBEh/doafeGV2hgjQXTpvmwnbHI4YTkL3Q/K0HFJmdlpdzJG98DdP2UQemqTBLuLnlcy jkkyIwQTWtiMS3nuGbLkLywk8aWfJpg= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706360057; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=yYEIpzSpjakyHXf9F1kgTBYb5WTHcdMp5h0N5ewfdEZFcSuO2zHhk5U7a4DV4KjAJjGKD vElhI13gkFXW1YmzP39MCkFAT+7tASoxvt/xtGr7AMNX9Q1DDojiI51pFEFGFCW6pYYeeFs ehdIBgUBISjo9N4N9gjFG5/5O1KnK60= ARC-Authentication-Results: i=2; open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Authentication-Results: open-mesh.org; dkim=pass header.d=narfation.org; arc=pass; dmarc=pass (Used From Domain Record) header.from=narfation.org policy.dmarc=none Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by diktynna.open-mesh.org (Postfix) with ESMTPS id 8BE1883E6F for ; Sat, 27 Jan 2024 13:49:42 +0100 (CET) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1706359782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=dS6CKPb6XWqL8erMUkiNEJKbBKTZdZ7puw3RSNsQl5/NC0MDPAQYE4mrIzybYIOoLGnhSl d1WkzrX01Koc0SfHcFnd8FjN3dJTG9blcNt7zO+/XnkBPdmn/dFyC6J1VX56w9XKiMcOwx xjv76HPzcpfV78IUKNYog/uxoiXQdSA= ARC-Seal: i=1; s=20121; d=open-mesh.org; t=1706359782; a=rsa-sha256; cv=none; b=YwRimu4elXOJhwO1tFHeaJq/F1D8GU8tE4TRxLxl/3Zv9qwCO+40SWwia1vEbZZ4pSzN7r 2TUlH/jbULD68kn56ahga/p60bjBim2fReEhFzSpMstM9Btg7sm8A9XL4hAPsbQ2iJ9L1f UgaplPi1j/VqJuYYHXgqjLykWPacWeI= ARC-Authentication-Results: i=1; diktynna.open-mesh.org; dkim=pass header.d=narfation.org header.s=20121 header.b="f/flL2y2"; spf=pass (diktynna.open-mesh.org: domain of sven@narfation.org designates 213.160.73.56 as permitted sender) smtp.mailfrom=sven@narfation.org; dmarc=pass (policy=none) header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1706359782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=edNpqI2Ax1xBqzK1JgfpbRiTEL/jztpppUzA5TA+nj8=; b=f/flL2y2/0i/J7aFsbruIQh6nTJUWH+x8o9zQdR9yYsFdqfxWhh9n4mUjvuHlUVJAENwsL C6E7gqiLEVd5QejXwMzwlKYDqrvIeVuCGfcaQZBJ9/31AoScgjKkjpc2Z89iAqpSDFy/Ot HFOpUotYDLGPkk8NiI0LnoTWQblV9kM= From: Sven Eckelmann Date: Sat, 27 Jan 2024 13:49:04 +0100 Subject: [PATCH 6/6] batctl: tcpdump: Fix ICMPv4 inner IPv4 header length check MIME-Version: 1.0 Message-Id: <20240127-tcpdump_fuzzing-v1-6-fbc1e1d3fec1@narfation.org> References: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> In-Reply-To: <20240127-tcpdump_fuzzing-v1-0-fbc1e1d3fec1@narfation.org> To: b.a.t.m.a.n@lists.open-mesh.org Cc: Sven Eckelmann X-Mailer: b4 0.12.4 X-Developer-Signature: v=1; a=openpgp-sha256; l=1895; i=sven@narfation.org; h=from:subject:message-id; bh=gmzOh0dnTIBpHz2s9fHke3/y3973kMD3xriE6HPSScc=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBltPvilNM1O/6uNnRUSYIepWDzyM96MviPBk8MW aDtVPzoVxyJAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZbT74gAKCRBdhwoHwSZ7 RhdnD/wLIjFQsd36EAJJeGP97uYRXlSr9iXtG3swC+17IUMUR5FtjHHWrviMCB1bFvhGg7St4ik FcisgPgfb15Xk5z23WgXaGva7LnI9OQAoQD6L+a+IGXJyPujHGpHxt0T5SOqE8VUHLD861gZg52 8tQ6fDHBkaFynzNbEJTdl6RT9Vu+4I6AZt2cZarIjTwaOQnLrWklkS2maV1tTDKyLiXN0eaHRL9 jxgBp41Kmwi1jAwSlg95zNSWFDXErLqre8n7UKSQL+7Xip+VNxMCPharUj8Kj6kv9a5YaoBY/Te sSv8R1qkph/n8KlXHziLTyhLyE9L5y3iRQ6uVxG6TTPeYSdjpL1JNbksJsI0v4veeGatyBU9IWr H/Ebeqd9eo3otzxsD0NmoLY7WUB3ueaiOJXUmYfL8Oa8R+pi9uVkmV515/P2UwM5KZCHoMJ2p8j b1K5/rXZP5he18KN7UR7W3JGGsUMKQgDuqzTlJ08MrJmvENV6VRGZnYIlWjlFvYrUIKL+OFwsqY dwyj4o6xCDO9bIHxeum1l3utWoBUVgFgJSM1kcSknS+dRC7c8zhxAcMDwpv4/yoXIipnHzRyvE4 vsAdpXuoVtkCsVh42nWYjaSA864ifTFjVKwU/ABA9cJTb9B53JnEHJfvvg0sDztWsyzAR7yGFKC Y5rD+KCCnuqiHvQ== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Message-ID-Hash: LYS5SRWWYCMCISYJB4OTDU6GKGSCOZHT X-Message-ID-Hash: LYS5SRWWYCMCISYJB4OTDU6GKGSCOZHT X-MailFrom: sven@narfation.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1; header-match-b.a.t.m.a.n.lists.open-mesh.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: dump_ip() is doing a length check for the inner (inside ICMP) IPv4 header length. But it is just assuming that the inner ICMPv4 header has ihl set to 5 - without actually checking for this. The more complex IPv4 header length check for the outer IPv4 header is missing before it tries to access the UDP header using the inner ihl IPv4 header length information. So it is possible that it tries to read outside of the received data. Fixes: 75d68356f3fa ("[batctl] tcpdump - add basic IPv4 support") Signed-off-by: Sven Eckelmann --- tcpdump.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tcpdump.c b/tcpdump.c index c253755..c6aca27 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -730,12 +730,20 @@ static void dump_ip(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - (iphdr->ihl * 4)); break; case ICMP_DEST_UNREACH: - LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), - sizeof(struct iphdr) + 8, "ICMP DEST_UNREACH"); - switch (icmphdr->code) { case ICMP_PORT_UNREACH: + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + sizeof(struct iphdr), "ICMP DEST_UNREACH"); + + /* validate inner IP header information */ tmp_iphdr = (struct iphdr *)(((char *)icmphdr) + sizeof(struct icmphdr)); + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr), + (size_t)(tmp_iphdr->ihl * 4), "ICMP DEST_UNREACH"); + LEN_CHECK((size_t)(tmp_iphdr->ihl * 4), sizeof(*iphdr), "ICMP DEST_UNREACH"); + + LEN_CHECK((size_t)buff_len - (iphdr->ihl * 4) - sizeof(struct icmphdr) - (tmp_iphdr->ihl * 4), + sizeof(*tmp_udphdr), "ICMP DEST_UNREACH"); + tmp_udphdr = (struct udphdr *)(((char *)tmp_iphdr) + (tmp_iphdr->ihl * 4)); printf("%s: ICMP ", ipdst);