From b016347e5bb2d189de7e40ae3ceb9897a53b32d8 Mon Sep 17 00:00:00 2001 From: Bill Fenner Date: Tue, 11 Oct 2022 13:05:55 -0700 Subject: lwres: Fix an undefined behavior in pointer arithmetic Check for truncation before doing pointer arithmetic to point to the end of the packet. print-lwres.c:294:10: runtime error: addition of unsigned offset to 0xf3b032be overflowed to 0x9652d560 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-lwres.c:294:10 [Part of the PR #1012] --- print-lwres.c | 4 +++- tests/TESTLIST | 1 + tests/lwres-pointer-arithmetic-ub.out | 1 + tests/lwres-pointer-arithmetic-ub.pcap | Bin 0 -> 283 bytes 4 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 tests/lwres-pointer-arithmetic-ub.out create mode 100644 tests/lwres-pointer-arithmetic-ub.pcap diff --git a/print-lwres.c b/print-lwres.c index f6ed8f3c..b8f9b49a 100644 --- a/print-lwres.c +++ b/print-lwres.c @@ -291,7 +291,9 @@ lwres_print(netdissect_options *ndo, if (ndo->ndo_vflag || v != LWRES_LWPACKETVERSION_0) ND_PRINT(" v%u", v); if (v != LWRES_LWPACKETVERSION_0) { - s = bp + GET_BE_U_4(np->length); + uint32_t pkt_len = GET_BE_U_4(np->length); + ND_TCHECK_LEN(bp, pkt_len); + s = bp + pkt_len; goto tail; } diff --git a/tests/TESTLIST b/tests/TESTLIST index bc23b548..ef0e6f3e 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -927,3 +927,4 @@ pb_nhrp_1 pb_nhrp_1.pcap pb_nhrp_1.out -v # Undefined behavior tests ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out ip6-snmp-oid-unsigned ip6-snmp-oid-unsigned.pcap ip6-snmp-oid-unsigned.out +lwres-pointer-arithmetic-ub lwres-pointer-arithmetic-ub.pcap lwres-pointer-arithmetic-ub.out diff --git a/tests/lwres-pointer-arithmetic-ub.out b/tests/lwres-pointer-arithmetic-ub.out new file mode 100644 index 00000000..f4953f4b --- /dev/null +++ b/tests/lwres-pointer-arithmetic-ub.out @@ -0,0 +1 @@ + 1 14:31:29.364332 IP6 fe80:0:10ff:15:1800:1a00:0:100.921 > a00:300:115:1800:1a00:f4:100:a00.0: lwres v41634 [|lwres] diff --git a/tests/lwres-pointer-arithmetic-ub.pcap b/tests/lwres-pointer-arithmetic-ub.pcap new file mode 100644 index 00000000..095fcbcb Binary files /dev/null and b/tests/lwres-pointer-arithmetic-ub.pcap differ -- cgit v1.2.1