CVE-2016-7985,7986/Change the way protocols print link-layer addresses.

If a protocol that runs under a link-layer protocol would print the link-layer addresses for the packet as source and destination addresses for the packet, don't have it blithely assume those link-layer addresses are present or are at a particular offset from the beginning of that protocol's data; Ethertypes, for example, are used by a number of protocols, not all of which have Ethernet headers and not all of which have any MAC headers. Instead, pass the printers for those protocols structures with a pointer to the address data and a pointer to a routine that prints the address. Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.
author: Guy Harris <guy@alum.mit.edu> 2015-07-03 15:54:14 -0700
committer: Francois-Xavier Le Bail <fx.lebail@yahoo.com> 2017-01-18 09:16:36 +0100
commit: 6bc44295cfbe1f7b6633c755841518f4b159aa8a (patch)
tree: 859fda193d4664cfce2892e3c3c219847ada789b /print-llc.c
parent: 237efcf593ee369519e9dfdc9166702219dabfec (diff)
download: tcpdump-6bc44295cfbe1f7b6633c755841518f4b159aa8a.tar.gz
1 files changed, 16 insertions, 15 deletions
diff --git a/print-llc.c b/print-llc.c
index 99d74c11..bca9b502 100644
--- a/print-llc.c
+++ b/print-llc.c
@@ -148,7 +148,7 @@ static const struct oui_tok oui_to_tok[] = {
  */
 int
 llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
-	  const u_char *esrc, const u_char *edst)
+	  const struct lladdr_info *src, const struct lladdr_info *dst)
 {
 	uint8_t dsap_field, dsap, ssap_field, ssap;
 	uint16_t control;
@@ -262,7 +262,7 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 		 * Does anybody ever bridge one form of LAN traffic
 		 * over a networking type that uses 802.2 LLC?
 		 */
-		if (!snap_print(ndo, p, length, caplen, esrc, edst, 2)) {
+		if (!snap_print(ndo, p, length, caplen, src, dst, 2)) {
 			/*
 			 * Unknown packet type; tell our caller, by
 			 * returning a negative value, so they
@@ -330,23 +330,23 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 
 	if (!ndo->ndo_eflag) {
 		if (ssap == dsap) {
-			if (esrc == NULL || edst == NULL)
+			if (src == NULL || dst == NULL)
 				ND_PRINT((ndo, "%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)));
 			else
 				ND_PRINT((ndo, "%s > %s %s ",
-						etheraddr_string(ndo, esrc),
-						etheraddr_string(ndo, edst),
+						(src->addr_string)(ndo, src->addr),
+						(dst->addr_string)(ndo, dst->addr),
 						tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)));
 		} else {
-			if (esrc == NULL || edst == NULL)
+			if (src == NULL || dst == NULL)
 				ND_PRINT((ndo, "%s > %s ",
                                         tok2str(llc_values, "Unknown SSAP 0x%02x", ssap),
 					tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)));
 			else
 				ND_PRINT((ndo, "%s %s > %s %s ",
-					etheraddr_string(ndo, esrc),
+					(src->addr_string)(ndo, src->addr),
                                         tok2str(llc_values, "Unknown SSAP 0x%02x", ssap),
-					etheraddr_string(ndo, edst),
+					(dst->addr_string)(ndo, dst->addr),
 					tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)));
 		}
 	}
@@ -399,7 +399,8 @@ oui_to_struct_tok(uint32_t orgcode)
 
 int
 snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
-	const u_char *esrc, const u_char *edst, u_int bridge_pad)
+	const struct lladdr_info *src, const struct lladdr_info *dst,
+	u_int bridge_pad)
 {
 	uint32_t orgcode;
 	register u_short et;
@@ -437,7 +438,7 @@ snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 		 * Cisco hardware; the protocol ID is
 		 * an Ethernet protocol type.
 		 */
-		ret = ethertype_print(ndo, et, p, length, caplen);
+		ret = ethertype_print(ndo, et, p, length, caplen, src, dst);
 		if (ret)
 			return (ret);
 		break;
@@ -452,7 +453,7 @@ snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 			 * but used 0x000000 and an Ethernet
 			 * packet type for AARP packets.
 			 */
-			ret = ethertype_print(ndo, et, p, length, caplen);
+			ret = ethertype_print(ndo, et, p, length, caplen, src, dst);
 			if (ret)
 				return (ret);
 		}
@@ -553,13 +554,13 @@ snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 	}
 	if (!ndo->ndo_eflag) {
 		/*
-		 * Nobody printed the MAC addresses, so print them, if
+		 * Nobody printed the link-layer addresses, so print them, if
 		 * we have any.
 		 */
-		if (esrc != NULL && edst != NULL) {
+		if (src != NULL && dst != NULL) {
 			ND_PRINT((ndo, "%s > %s ",
-				etheraddr_string(ndo, esrc),
-				etheraddr_string(ndo, edst)));
+				(src->addr_string)(ndo, src->addr),
+				(dst->addr_string)(ndo, dst->addr)));
 		}
 		/*
 		 * Print the SNAP header, but if the OUI is 000000, don't
author	Guy Harris <guy@alum.mit.edu>	2015-07-03 15:54:14 -0700
committer	Francois-Xavier Le Bail <fx.lebail@yahoo.com>	2017-01-18 09:16:36 +0100
commit	6bc44295cfbe1f7b6633c755841518f4b159aa8a (patch)
tree	859fda193d4664cfce2892e3c3c219847ada789b /print-llc.c
parent	237efcf593ee369519e9dfdc9166702219dabfec (diff)
download	tcpdump-6bc44295cfbe1f7b6633c755841518f4b159aa8a.tar.gz