mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-13 10:02:38 +00:00
3340d77368
It fixes many buffer overflow in different protocol parsers, but none of them are critical, even in absense of Capsicum. Security: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925 Security: CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929 Security: CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933 Security: CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937 Security: CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973 Security: CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984 Security: CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993 Security: CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203 Security: CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342 Security: CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485 Security: CVE-2017-5486
221 lines
7.5 KiB
C
221 lines
7.5 KiB
C
/*
|
|
* Copyright (c) 2013 The TCPDUMP project
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/* \summary: ZeroMQ Message Transport Protocol (ZMTP) printer */
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <netdissect-stdinc.h>
|
|
|
|
#include "netdissect.h"
|
|
#include "extract.h"
|
|
|
|
static const char tstr[] = " [|zmtp1]";
|
|
|
|
/* Maximum number of ZMTP/1.0 frame body bytes (without the flags) to dump in
|
|
* hex and ASCII under a single "-v" flag.
|
|
*/
|
|
#define VBYTES 128
|
|
|
|
/*
|
|
* Below is an excerpt from the "13/ZMTP" specification:
|
|
*
|
|
* A ZMTP message consists of 1 or more frames.
|
|
*
|
|
* A ZMTP frame consists of a length, followed by a flags field and a frame
|
|
* body of (length - 1) octets. Note: the length includes the flags field, so
|
|
* an empty frame has a length of 1.
|
|
*
|
|
* For frames with a length of 1 to 254 octets, the length SHOULD BE encoded
|
|
* as a single octet. The minimum valid length of a frame is 1 octet, thus a
|
|
* length of 0 is invalid and such frames SHOULD be discarded silently.
|
|
*
|
|
* For frames with lengths of 255 and greater, the length SHALL BE encoded as
|
|
* a single octet with the value 255, followed by the length encoded as a
|
|
* 64-bit unsigned integer in network byte order. For frames with lengths of
|
|
* 1 to 254 octets this encoding MAY be also used.
|
|
*
|
|
* The flags field consists of a single octet containing various control
|
|
* flags. Bit 0 is the least significant bit.
|
|
*
|
|
* - Bit 0 (MORE): More frames to follow. A value of 0 indicates that there
|
|
* are no more frames to follow. A value of 1 indicates that more frames
|
|
* will follow. On messages consisting of a single frame the MORE flag MUST
|
|
* be 0.
|
|
*
|
|
* - Bits 1-7: Reserved. Bits 1-7 are reserved for future use and SHOULD be
|
|
* zero.
|
|
*/
|
|
|
|
static const u_char *
|
|
zmtp1_print_frame(netdissect_options *ndo, const u_char *cp, const u_char *ep)
|
|
{
|
|
uint64_t body_len_declared, body_len_captured, header_len;
|
|
uint8_t flags;
|
|
|
|
ND_PRINT((ndo, "\n\t"));
|
|
ND_TCHECK2(*cp, 1); /* length/0xFF */
|
|
|
|
if (cp[0] != 0xFF) {
|
|
header_len = 1; /* length */
|
|
body_len_declared = cp[0];
|
|
ND_PRINT((ndo, " frame flags+body (8-bit) length %" PRIu64, body_len_declared));
|
|
} else {
|
|
header_len = 1 + 8; /* 0xFF, length */
|
|
ND_PRINT((ndo, " frame flags+body (64-bit) length"));
|
|
ND_TCHECK2(*cp, header_len); /* 0xFF, length */
|
|
body_len_declared = EXTRACT_64BITS(cp + 1);
|
|
ND_PRINT((ndo, " %" PRIu64, body_len_declared));
|
|
}
|
|
if (body_len_declared == 0)
|
|
return cp + header_len; /* skip to the next frame */
|
|
ND_TCHECK2(*cp, header_len + 1); /* ..., flags */
|
|
flags = cp[header_len];
|
|
|
|
body_len_captured = ep - cp - header_len;
|
|
if (body_len_declared > body_len_captured)
|
|
ND_PRINT((ndo, " (%" PRIu64 " captured)", body_len_captured));
|
|
ND_PRINT((ndo, ", flags 0x%02x", flags));
|
|
|
|
if (ndo->ndo_vflag) {
|
|
uint64_t body_len_printed = min(body_len_captured, body_len_declared);
|
|
|
|
ND_PRINT((ndo, " (%s|%s|%s|%s|%s|%s|%s|%s)",
|
|
flags & 0x80 ? "MBZ" : "-",
|
|
flags & 0x40 ? "MBZ" : "-",
|
|
flags & 0x20 ? "MBZ" : "-",
|
|
flags & 0x10 ? "MBZ" : "-",
|
|
flags & 0x08 ? "MBZ" : "-",
|
|
flags & 0x04 ? "MBZ" : "-",
|
|
flags & 0x02 ? "MBZ" : "-",
|
|
flags & 0x01 ? "MORE" : "-"));
|
|
|
|
if (ndo->ndo_vflag == 1)
|
|
body_len_printed = min(VBYTES + 1, body_len_printed);
|
|
if (body_len_printed > 1) {
|
|
ND_PRINT((ndo, ", first %" PRIu64 " byte(s) of body:", body_len_printed - 1));
|
|
hex_and_ascii_print(ndo, "\n\t ", cp + header_len + 1, body_len_printed - 1);
|
|
ND_PRINT((ndo, "\n"));
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Do not advance cp by the sum of header_len and body_len_declared
|
|
* before each offset has successfully passed ND_TCHECK2() as the
|
|
* sum can roll over (9 + 0xfffffffffffffff7 = 0) and cause an
|
|
* infinite loop.
|
|
*/
|
|
cp += header_len;
|
|
ND_TCHECK2(*cp, body_len_declared); /* Next frame within the buffer ? */
|
|
return cp + body_len_declared;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, "%s", tstr));
|
|
return ep;
|
|
}
|
|
|
|
void
|
|
zmtp1_print(netdissect_options *ndo, const u_char *cp, u_int len)
|
|
{
|
|
const u_char *ep = min(ndo->ndo_snapend, cp + len);
|
|
|
|
ND_PRINT((ndo, ": ZMTP/1.0"));
|
|
while (cp < ep)
|
|
cp = zmtp1_print_frame(ndo, cp, ep);
|
|
}
|
|
|
|
/* The functions below decode a ZeroMQ datagram, supposedly stored in the "Data"
|
|
* field of an ODATA/RDATA [E]PGM packet. An excerpt from zmq_pgm(7) man page
|
|
* follows.
|
|
*
|
|
* In order for late joining consumers to be able to identify message
|
|
* boundaries, each PGM datagram payload starts with a 16-bit unsigned integer
|
|
* in network byte order specifying either the offset of the first message frame
|
|
* in the datagram or containing the value 0xFFFF if the datagram contains
|
|
* solely an intermediate part of a larger message.
|
|
*
|
|
* Note that offset specifies where the first message begins rather than the
|
|
* first message part. Thus, if there are trailing message parts at the
|
|
* beginning of the packet the offset ignores them and points to first initial
|
|
* message part in the packet.
|
|
*/
|
|
|
|
static const u_char *
|
|
zmtp1_print_intermediate_part(netdissect_options *ndo, const u_char *cp, const u_int len)
|
|
{
|
|
u_int frame_offset;
|
|
uint64_t remaining_len;
|
|
|
|
ND_TCHECK2(*cp, 2);
|
|
frame_offset = EXTRACT_16BITS(cp);
|
|
ND_PRINT((ndo, "\n\t frame offset 0x%04x", frame_offset));
|
|
cp += 2;
|
|
remaining_len = ndo->ndo_snapend - cp; /* without the frame length */
|
|
|
|
if (frame_offset == 0xFFFF)
|
|
frame_offset = len - 2; /* always within the declared length */
|
|
else if (2 + frame_offset > len) {
|
|
ND_PRINT((ndo, " (exceeds datagram declared length)"));
|
|
goto trunc;
|
|
}
|
|
|
|
/* offset within declared length of the datagram */
|
|
if (frame_offset) {
|
|
ND_PRINT((ndo, "\n\t frame intermediate part, %u bytes", frame_offset));
|
|
if (frame_offset > remaining_len)
|
|
ND_PRINT((ndo, " (%"PRIu64" captured)", remaining_len));
|
|
if (ndo->ndo_vflag) {
|
|
uint64_t len_printed = min(frame_offset, remaining_len);
|
|
|
|
if (ndo->ndo_vflag == 1)
|
|
len_printed = min(VBYTES, len_printed);
|
|
if (len_printed > 1) {
|
|
ND_PRINT((ndo, ", first %"PRIu64" byte(s):", len_printed));
|
|
hex_and_ascii_print(ndo, "\n\t ", cp, len_printed);
|
|
ND_PRINT((ndo, "\n"));
|
|
}
|
|
}
|
|
}
|
|
return cp + frame_offset;
|
|
|
|
trunc:
|
|
ND_PRINT((ndo, "%s", tstr));
|
|
return cp + len;
|
|
}
|
|
|
|
void
|
|
zmtp1_print_datagram(netdissect_options *ndo, const u_char *cp, const u_int len)
|
|
{
|
|
const u_char *ep = min(ndo->ndo_snapend, cp + len);
|
|
|
|
cp = zmtp1_print_intermediate_part(ndo, cp, len);
|
|
while (cp < ep)
|
|
cp = zmtp1_print_frame(ndo, cp, ep);
|
|
}
|