diff options
| author | Guy Harris <gharris@sonic.net> | 2023-04-25 13:37:56 -0700 |
|---|---|---|
| committer | Guy Harris <gharris@sonic.net> | 2023-04-25 13:37:56 -0700 |
| commit | f305b205c5678bfc675ba7f9578343f6ab204899 (patch) | |
| tree | 8bea828346c37bd797ce56c3fa6f0d5b97403e64 | |
| parent | 5c13f551fa9b08396f4b385c6b16447f718a518b (diff) | |
| download | tcpdump-f305b205c5678bfc675ba7f9578343f6ab204899.tar.gz | |
nhrp: fix infinite loop on malformed packets.
If a CIE doesn't fit in the remainder of the mandatory part, return the
length of that remainder, so that the loop processing the CIE
terminates.
Add capture that produced the infinite loop.
| -rw-r--r-- | print-nhrp.c | 10 | ||||
| -rw-r--r-- | tests/TESTLIST | 1 | ||||
| -rw-r--r-- | tests/pb_nhrp_1.out | 2 | ||||
| -rw-r--r-- | tests/pb_nhrp_1.pcap | bin | 0 -> 124 bytes |
4 files changed, 13 insertions, 0 deletions
diff --git a/print-nhrp.c b/print-nhrp.c index 800d5c53..6947a7ca 100644 --- a/print-nhrp.c +++ b/print-nhrp.c @@ -480,5 +480,15 @@ nhrp_print_cie(netdissect_options *ndo, const u_char *data, uint16_t mand_part_l invalid: nd_print_invalid(ndo); + + /* + * We get here because this CIE goes past thE remaining length, + * of the mandatory part. We've reported that error; we now + * assignt he insufficnetly-large remaining piece of the + * mandatory part to this CIE, so that this CIE finishes up + * the mandatory part, and the loop processing the CIEs + * terminates. There cannot be any CIEs after this one. + */ + cie_len += mand_part_len; return (cie_len); } diff --git a/tests/TESTLIST b/tests/TESTLIST index 6dd75921..dbc38425 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -918,6 +918,7 @@ NHRP_registration NHRP_registration.pcap NHRP_registration.out -v NHRP-responder-address NHRP-responder-address.pcap NHRP-responder-address.out -v nhrp-trace nhrp-trace.pcap nhrp-trace.out -v nhrp nhrp.pcap nhrp.out -v +pb_nhrp_1 pb_nhrp_1.pcap pb_nhrp_1.out -v # Undefined behavior tests ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out diff --git a/tests/pb_nhrp_1.out b/tests/pb_nhrp_1.out new file mode 100644 index 00000000..a1b5f94f --- /dev/null +++ b/tests/pb_nhrp_1.out @@ -0,0 +1,2 @@ + 1 13:37:05.16842874 IP (tos 0xc, id 0, offset 0, flags [rsvd], proto unknown (54), length 64, options (unknown 107 [bad length 37]), bad cksum 101 (->41a4)!) + 62.41.66.144 > 191.215.63.14: NHRP: res request, id 0, hopcnt 103, unknown-nbma-addr-family-5dc9 (01), proto type 007b 67 -> 49 [remaining mandatory part length 8 < 12] (invalid) diff --git a/tests/pb_nhrp_1.pcap b/tests/pb_nhrp_1.pcap Binary files differnew file mode 100644 index 00000000..35791942 --- /dev/null +++ b/tests/pb_nhrp_1.pcap |