CVE-2017-13000/IEEE 802.15.4: Add more bounds checks.

While we're at it, add a bunch of macros for the frame control field's subfields, have the reserved frame types show the frame type value, use the same code path for processing source and destination addresses regardless of whether -v was specified (just leave out the addresses in non-verbose mode), and return the header length in all cases. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add tests using the capture files supplied by the reporter(s).
author: Guy Harris <guy@alum.mit.edu> 2017-02-17 17:43:10 -0800
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 9be4e0b5938b705e7e36cfcb110a740c6ff0cb97 (patch)
tree: 7e8de032b68e960b82a5fcc9edfc36ef0bab7001 /print-802_15_4.c
parent: b1928b44a51455706bcfcce676e5e79571f65ae3 (diff)
download: tcpdump-9be4e0b5938b705e7e36cfcb110a740c6ff0cb97.tar.gz
1 files changed, 142 insertions, 100 deletions
diff --git a/print-802_15_4.c b/print-802_15_4.c
index 6fe6d35b..a43d0333 100644
--- a/print-802_15_4.c
+++ b/print-802_15_4.c
@@ -38,144 +38,186 @@ static const char *ftypes[] = {
 	"Data",				/* 1 */
 	"ACK",				/* 2 */
 	"Command",			/* 3 */
-	"Reserved",			/* 4 */
-	"Reserved",			/* 5 */
-	"Reserved",			/* 6 */
-	"Reserved",			/* 7 */
+	"Reserved (0x4)",		/* 4 */
+	"Reserved (0x5)",		/* 5 */
+	"Reserved (0x6)",		/* 6 */
+	"Reserved (0x7)",		/* 7 */
 };
 
-static int
-extract_header_length(uint16_t fc)
-{
-	int len = 0;
-
-	switch ((fc >> 10) & 0x3) {
-	case 0x00:
-		if (fc & (1 << 6)) /* intra-PAN with none dest addr */
-			return -1;
-		break;
-	case 0x01:
-		return -1;
-	case 0x02:
-		len += 4;
-		break;
-	case 0x03:
-		len += 10;
-		break;
-	}
-
-	switch ((fc >> 14) & 0x3) {
-	case 0x00:
-		break;
-	case 0x01:
-		return -1;
-	case 0x02:
-		len += 4;
-		break;
-	case 0x03:
-		len += 10;
-		break;
-	}
-
-	if (fc & (1 << 6)) {
-		if (len < 2)
-			return -1;
-		len -= 2;
-	}
-
-	return len;
-}
-
+/*
+ * Frame Control subfields.
+ */
+#define FC_FRAME_TYPE(fc)		((fc) & 0x7)
+#define FC_SECURITY_ENABLED		0x0008
+#define FC_FRAME_PENDING		0x0010
+#define FC_ACK_REQUEST			0x0020
+#define FC_PAN_ID_COMPRESSION		0x0040
+#define FC_DEST_ADDRESSING_MODE(fc)	(((fc) >> 10) & 0x3)
+#define FC_FRAME_VERSION(fc)		(((fc) >> 12) & 0x3)
+#define FC_SRC_ADDRESSING_MODE(fc)	(((fc) >> 14) & 0x3)
+
+#define FC_ADDRESSING_MODE_NONE		0x00
+#define FC_ADDRESSING_MODE_RESERVED	0x01
+#define FC_ADDRESSING_MODE_SHORT	0x02
+#define FC_ADDRESSING_MODE_LONG		0x03
 
 u_int
 ieee802_15_4_if_print(netdissect_options *ndo,
                       const struct pcap_pkthdr *h, const u_char *p)
 {
 	u_int caplen = h->caplen;
-	int hdrlen;
+	u_int hdrlen;
 	uint16_t fc;
 	uint8_t seq;
+	uint16_t panid = 0;
 
 	if (caplen < 3) {
-		ND_PRINT((ndo, "[|802.15.4] %x", caplen));
+		ND_PRINT((ndo, "[|802.15.4]"));
 		return caplen;
 	}
+	hdrlen = 3;
 
 	fc = EXTRACT_LE_16BITS(p);
-	hdrlen = extract_header_length(fc);
-
 	seq = EXTRACT_LE_8BITS(p + 2);
 
 	p += 3;
 	caplen -= 3;
 
-	ND_PRINT((ndo,"IEEE 802.15.4 %s packet ", ftypes[fc & 0x7]));
+	ND_PRINT((ndo,"IEEE 802.15.4 %s packet ", ftypes[FC_FRAME_TYPE(fc)]));
 	if (ndo->ndo_vflag)
 		ND_PRINT((ndo,"seq %02x ", seq));
-	if (hdrlen == -1) {
-		ND_PRINT((ndo,"invalid! "));
-		return caplen;
-	}
-
-
-	if (!ndo->ndo_vflag) {
-		p+= hdrlen;
-		caplen -= hdrlen;
-	} else {
-		uint16_t panid = 0;
 
-		switch ((fc >> 10) & 0x3) {
-		case 0x00:
+	/*
+	 * Destination address and PAN ID, if present.
+	 */
+	switch (FC_DEST_ADDRESSING_MODE(fc)) {
+	case FC_ADDRESSING_MODE_NONE:
+		if (fc & FC_PAN_ID_COMPRESSION) {
+			/*
+			 * PAN ID compression; this requires that both
+			 * the source and destination addresses be present,
+			 * but the destination address is missing.
+			 */
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		if (ndo->ndo_vflag)
 			ND_PRINT((ndo,"none "));
-			break;
-		case 0x01:
+		break;
+	case FC_ADDRESSING_MODE_RESERVED:
+		if (ndo->ndo_vflag)
 			ND_PRINT((ndo,"reserved destination addressing mode"));
-			return 0;
-		case 0x02:
-			panid = EXTRACT_LE_16BITS(p);
-			p += 2;
-			ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p)));
-			p += 2;
-			break;
-		case 0x03:
-			panid = EXTRACT_LE_16BITS(p);
-			p += 2;
-			ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p)));
-			p += 8;
-			break;
+		return hdrlen;
+	case FC_ADDRESSING_MODE_SHORT:
+		if (caplen < 2) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		panid = EXTRACT_LE_16BITS(p);
+		p += 2;
+		caplen -= 2;
+		hdrlen += 2;
+		if (caplen < 2) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
 		}
+		if (ndo->ndo_vflag)
+			ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p + 2)));
+		p += 2;
+		caplen -= 2;
+		hdrlen += 2;
+		break;
+	case FC_ADDRESSING_MODE_LONG:
+		if (caplen < 2) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		panid = EXTRACT_LE_16BITS(p);
+		p += 2;
+		caplen -= 2;
+		hdrlen += 2;
+		if (caplen < 8) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		if (ndo->ndo_vflag)
+			ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p + 2)));
+		p += 8;
+		caplen -= 8;
+		hdrlen += 8;
+		break;
+	}
+	if (ndo->ndo_vflag)
 		ND_PRINT((ndo,"< "));
 
-		switch ((fc >> 14) & 0x3) {
-		case 0x00:
+	/*
+	 * Source address and PAN ID, if present.
+	 */
+	switch (FC_SRC_ADDRESSING_MODE(fc)) {
+	case FC_ADDRESSING_MODE_NONE:
+		if (ndo->ndo_vflag)
 			ND_PRINT((ndo,"none "));
-			break;
-		case 0x01:
+		break;
+	case FC_ADDRESSING_MODE_RESERVED:
+		if (ndo->ndo_vflag)
 			ND_PRINT((ndo,"reserved source addressing mode"));
-			return 0;
-		case 0x02:
-			if (!(fc & (1 << 6))) {
-				panid = EXTRACT_LE_16BITS(p);
-				p += 2;
+		return 0;
+	case FC_ADDRESSING_MODE_SHORT:
+		if (!(fc & FC_PAN_ID_COMPRESSION)) {
+			/*
+			 * The source PAN ID is not compressed out, so
+			 * fetch it.  (Otherwise, we'll use the destination
+			 * PAN ID, fetched above.)
+			 */
+			if (caplen < 2) {
+				ND_PRINT((ndo, "[|802.15.4]"));
+				return hdrlen;
 			}
-			ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p)));
+			panid = EXTRACT_LE_16BITS(p);
 			p += 2;
-			break;
-		case 0x03:
-			if (!(fc & (1 << 6))) {
-				panid = EXTRACT_LE_16BITS(p);
-				p += 2;
+			caplen -= 2;
+			hdrlen += 2;
+		}
+		if (caplen < 2) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		if (ndo->ndo_vflag)
+			ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p)));
+		p += 2;
+		caplen -= 2;
+		hdrlen += 2;
+		break;
+	case FC_ADDRESSING_MODE_LONG:
+		if (!(fc & FC_PAN_ID_COMPRESSION)) {
+			/*
+			 * The source PAN ID is not compressed out, so
+			 * fetch it.  (Otherwise, we'll use the destination
+			 * PAN ID, fetched above.)
+			 */
+			if (caplen < 2) {
+				ND_PRINT((ndo, "[|802.15.4]"));
+				return hdrlen;
 			}
-                        ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p)));
-			p += 8;
-			break;
+			panid = EXTRACT_LE_16BITS(p);
+			p += 2;
+			caplen -= 2;
+			hdrlen += 2;
 		}
-
-		caplen -= hdrlen;
+		if (caplen < 8) {
+			ND_PRINT((ndo, "[|802.15.4]"));
+			return hdrlen;
+		}
+		if (ndo->ndo_vflag)
+			ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p)));
+		p += 8;
+		caplen -= 8;
+		hdrlen += 8;
+		break;
 	}
 
 	if (!ndo->ndo_suppress_default_print)
 		ND_DEFAULTPRINT(p, caplen);
 
-	return 0;
+	return hdrlen;
 }
author	Guy Harris <guy@alum.mit.edu>	2017-02-17 17:43:10 -0800
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	9be4e0b5938b705e7e36cfcb110a740c6ff0cb97 (patch)
tree	7e8de032b68e960b82a5fcc9edfc36ef0bab7001 /print-802_15_4.c
parent	b1928b44a51455706bcfcce676e5e79571f65ae3 (diff)
download	tcpdump-9be4e0b5938b705e7e36cfcb110a740c6ff0cb97.tar.gz