-
Notifications
You must be signed in to change notification settings - Fork 845
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ubsan fixes for various tcpdump printers #1012
Open
fenner
wants to merge
5
commits into
the-tcpdump-group:master
Choose a base branch
from
fenner:fenner-ubsan-fixes
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
3ffcbd8
Bgp: Fix an undefined behavior when it tries to parse a too-short packet
fenner fb52e16
ISO: avoid undefined behavior and integer overflow in the fletcher ch…
fenner a0cf025
snmp: avoid two undefined behaviors
fenner 2586d0a
lwres: avoid undefined behavior in pointer arithmetic
fenner a8dd632
OSPF6: Eliminate undefined behavior
fenner File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,227 @@ | ||
1 13:29:37.678220 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 4748) | ||
127.0.0.1.540 > 127.0.0.1.179: Flags [S], cksum 0xf1a8 (correct), seq 0:4708, win 8192, length 4708: BGP [|bgp] | ||
Update Message (2), length: 154 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 4456548 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:630 (= 0.0.2.118) | ||
Cluster List (10), length: 4, Flags [O]: 172.17.0.0 | ||
Originator ID (9), length: 4, Flags [O]: 172.17.0.5 | ||
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128) | ||
nexthop: RD: 0:0 (= 0.0.0.0), 172.145.0.5, nh-length: 12, no SNPA | ||
RD: 18826:630 (= 0.0.2.118), 172.17.30.208/28, label:1027 (bottom) | ||
RD: 18826:630 (= 0.0.2.118), 172.17.30.224/28, label:1027 (bottom) | ||
(illegal prefix length) | ||
Update Message (2), length: 105 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:620 (= 0.0.2.108) | ||
Cluster List (10), length: 37, Flags [O]: invalid len | ||
Unknown Attribute (73), length: 138 [path attrs too short] | ||
Update Message (2), length: 154 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:640 (= 0.0.2.128) | ||
Cluster List (10), length: 4, Flags [O]: 172.17.0.0 | ||
Originator ID (9), length: 4, Flags [O]: 172.17.0.5 | ||
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128) | ||
nexthop: RD: 0:0 (= 0.0.0.0), 172.17.0.5, nh-length: 12, no SNPA | ||
RD: 18826:640 (= 0.0.2.128), 172.17.33.64/28, label:1028 (bottom) | ||
RD: 18826:640 (= 0.0.2.128), 172.17.33.80/28, label:1028 (bottom) | ||
RD: 18826:640 (= 0.0.2.128), 172.84.34.0/28, label:132100 (bottom) | ||
RD: 18826:549 (= 0.0.2.37), 0.17.34.16/28, label:1028 (bottom) | ||
Update Message (2), length: 202 | ||
Withdrawn routes: | ||
0.0.0.0/0 | ||
(illegal prefix length) [|bgp] [|bgp] | ||
Update Message (2), length: 106 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Attribute Set (128), length: 3, Flags [O]: [|bgp] [|bgp] | ||
Update Message (2), length: 172 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 4, Flags [T]: 64520 | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 131 | ||
Unknown Attribute (113), length: 16, Flags [T]: | ||
no Attribute 113 decoder | ||
0x0000: ffff ffff ffff ffff ffff ffff ffff ffff | ||
Unknown Attribute (75), length: 2 | ||
no Attribute 75 decoder | ||
0x0000: 0000 | ||
Unknown Attribute (47), length: 64 | ||
no Attribute 47 decoder | ||
0x0000: 0101 0040 0206 0201 0001 0000 4003 04c0 | ||
0x0010: 0002 02c0 2018 0001 0000 0000 0001 0000 | ||
0x0020: 0001 0001 0000 0000 0001 0000 0002 20cb | ||
0x0030: 0071 0cff ffff ffff ffff ffff ffff ffff | ||
Reserved for development (255), length: 65280, Flags [OTPE+f]: [path attrs too short] [|bgp] | ||
Update Message (2), length: 75 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 6, Flags [T]: 65536 | ||
Next Hop (3), length: 4, Flags [T]: 192.0.2.2 | ||
Large Community (32), length: 24, Flags [OT]: | ||
65536:0:1, 65536:1:0 | ||
Updated routes: | ||
203.0.113.15/32 | ||
Update Message (2), length: 87 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 6, Flags [T]: 65536 | ||
Next Hop (3), length: 4, Flags [T]: 5.12.0.0 | ||
Unknown Attribute (100), length: 192, Flags [+1]: [path attrs too short] | ||
Updated routes: | ||
0.0.0.0/0 | ||
(illegal prefix length) [|bgp] | ||
Update Message (2), length: 105 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:620 (= 0.0.2.108) | ||
Cluster List (10), length: 37, Flags [O]: invalid len | ||
Unknown Attribute (73), length: 138 [path attrs too short] | ||
Update Message (2), length: 154 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:640 (= 0.0.2.128) | ||
Cluster List (10), length: 4, Flags [O]: 172.17.0.0 | ||
Originator ID (9), length: 4, Flags [O]: 172.17.0.5 | ||
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128) | ||
nexthop: RD: 0:0 (= 0.0.0.0), 172.17.0.5, nh-length: 12, no SNPA | ||
RD: 18826:640 (= 0.0.2.128), 172.17.33.64/28, label:1028 (bottom) | ||
RD: 18826:640 (= 0.0.2.128), 172.17.33.80/28, label:1028 (bottom) | ||
RD: 18826:640 (= 0.0.2.128), 172.84.34.0/28, label:132100 (bottom) | ||
RD: 18826:549 (= 0.0.2.37), 0.17.34.16/28, label:1028 (bottom) | ||
Update Message (2), length: 202 | ||
Withdrawn routes: | ||
0.0.0.0/0 | ||
(illegal prefix length) [|bgp] [|bgp] | ||
Update Message (2), length: 106 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Attribute Set (128), length: 3, Flags [O]: [|bgp] [|bgp] | ||
Update Message (2), length: 172 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 4, Flags [T]: 64520 | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 131 | ||
Unknown Attribute (113), length: 16, Flags [T]: | ||
no Attribute 113 decoder | ||
0x0000: ffff ffff ffff ffff ffff ffff ffff ffff | ||
Unknown Attribute (75), length: 2 | ||
no Attribute 75 decoder | ||
0x0000: 0000 | ||
Unknown Attribute (47), length: 64 | ||
no Attribute 47 decoder | ||
0x0000: 0101 0040 0206 0201 0001 0000 4003 04c0 | ||
0x0010: 0002 02c0 2018 0001 0000 0000 0001 0000 | ||
0x0020: 0001 0001 0000 0000 0001 0000 0002 20cb | ||
0x0030: 0071 0cff ffff ffff ffff ffff ffff ffff | ||
Reserved for development (255), length: 65280, Flags [OTPE+f]: [path attrs too short] [|bgp] | ||
Update Message (2), length: 75 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 6, Flags [T]: 65536 | ||
Next Hop (3), length: 4, Flags [T]: 192.0.2.2 | ||
Large Community (32), length: 24, Flags [OT]: | ||
65536:0:1, 65536:1:0 | ||
Updated routes: | ||
203.0.113.15/32 | ||
Update Message (2), length: 87 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 6, Flags [T]: 65536 | ||
Next Hop (3), length: 4, Flags [T]: 5.12.0.0 | ||
Unknown Attribute (100), length: 192, Flags [+1]: [path attrs too short] | ||
Updated routes: | ||
0.0.0.0/0 | ||
(illegal prefix length) [|bgp] | ||
Update Message (2), length: 106 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:610 (= 0.0.2.98) | ||
Cluster List (10), length: 40, Flags [O]: 24.120.4.0, 0.0.0.41, 24.120.4.1, 64.15.19.0, 1.1.0.0, 2.188.24.32, 45.0.0.0, 2.189.24.32, 45.1.64.14, 61.0.2.1 | ||
Large Community (32), length: 0, Flags [E]: invalid len | ||
Unknown Attribute (21), length: 24 [path attrs too short] [|bgp] | ||
Update Message (2), length: 100 | ||
Unknown Attribute (0), length: 0 | ||
no Attribute 0 decoder | ||
Reserved for development (255), length: 255 [path attrs too short] [|bgp] | ||
Update Message (2), length: 95 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1) | ||
PMSI Tunnel (22), length: 17, Flags [OT]: | ||
Tunnel-type RSVP-TE P2MP LSP (1), Flags [none], MPLS Label 0 | ||
Extended-Tunnel-ID 10.0.0.4, P2MP-ID 0x00008173 | ||
Multi-Protocol Reach NLRI (14), length: 23, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: Multicast VPN (5) | ||
nexthop: 10.0.0.4, nh-length: 4 | ||
8 SNPA | ||
1 bytes | ||
0 bytes | ||
0 bytes | ||
0 bytes | ||
1 bytes | ||
0 bytes | ||
1 bytes | ||
0 bytes | ||
Route-Type: Unknown (181), length: 0 [|bgp] [|bgp] | ||
Update Message (2), length: 106 | ||
Origin (1), length: 1, Flags [T]: Incomplete | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Multi Exit Discriminator (4), length: 4, Flags [O]: 0 | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 18826:610 (= 0.0.2.98) | ||
Cluster List (10), length: 40, Flags [O]: 24.120.4.0, 0.0.0.41, 24.120.4.1, 64.15.19.0, 1.1.0.0, 2.188.24.32, 45.0.0.0, 2.189.24.32, 45.1.64.14, 61.0.2.1 | ||
Large Community (32), length: 0, Flags [E]: invalid len | ||
Unknown Attribute (21), length: 24 [path attrs too short] [|bgp] | ||
Update Message (2), length: 100 | ||
Unknown Attribute (0), length: 0 | ||
no Attribute 0 decoder | ||
Reserved for development (255), length: 255 [path attrs too short] [|bgp] | ||
Update Message (2), length: 95 | ||
Origin (1), length: 1, Flags [T]: IGP | ||
AS Path (2), length: 0, Flags [T]: empty | ||
Local Preference (5), length: 4, Flags [T]: 100 | ||
Extended Community (16), length: 8, Flags [OT]: | ||
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1) | ||
PMSI Tunnel (22), length: 17, Flags [OT]: | ||
Tunnel-type RSVP-TE P2MP LSP (1), Flags [none], MPLS Label 0 | ||
Extended-Tunnel-ID 10.0.0.4, P2MP-ID 0x00008173 | ||
Multi-Protocol Reach NLRI (14), length: 23, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: Multicast VPN (5) | ||
nexthop: 10.0.0.4, nh-length: 4 | ||
8 SNPA | ||
1 bytes | ||
0 bytes | ||
0 bytes | ||
0 bytes | ||
1 bytes | ||
0 bytes | ||
0 bytes | ||
1 bytes | ||
Route-Type: Unknown (0), length: 0 | ||
Route-Type: Intra-AS Segment-Leaf (4), length: 255 | ||
Update Message (2), length: 30 | ||
Multi-Protocol Unreach NLRI (15), length: 3, Flags [OE]: | ||
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128) | ||
End-of-Rib Marker (empty NLRI) | ||
[|BGP Unknown Message Type] |
Binary file not shown.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's perhaps more an "invalid" length case than a "truncated" case ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking is "this TLV doesn't have enough data to contain the header of the TLV, so, the TLV itself is truncated".
All 3 callers of
ospf6_print_lshdr()
useif (ospf6_print_lshdr(...)) return(1);
. From a skim, I don't see a reason for any of them to distinguish between "truncated" and "invalid in this specific way".There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The notion of truncation may have evolved over the years, but currently a truncation occurs when we try to get len bytes in the packet buffer and we can't.
(checks via GET_*, ND_TTEST_*, ND_TCHECK_*, etc. macros). For ND_TCHECK_* macros, if ND_LONGJMP_FROM_TCHECK is defined for a printer, a
longjmp
occurs, no moregoto trunc
(Printers "Modernized" for the 5.0.0 release, remain 34 to do.)The macros for testing invalid length cases are the ND_ICHECK*, with a
goto invalid
.If we add in line 396 the following command, we get the value 470, with the test file
ospf-signed-integer-ubsan.pcap
:ND_PRINT("[[%u]]", ND_BYTES_AVAILABLE_AFTER(lshp->ls_length));
Thus there is no truncation here.
Tshark says also the packet is
malformed
(like ourinvalid
.), not[Packet size limited during capture: XXX truncated]
:Perhaps this change should be updated after a modernization of print-ospf6.c.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps. I'm not prepared to make a major rework as a prerequisite for my contribution, so if it's better to have undefined behavior than to print an incorrect truncation message, great, feel free to discard my changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the proposed change makes the code safer, perhaps we could address any cosmetic issues after merging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My first idea was to hold the change waiting the modernization of print-ospf6.c, but as Denis says we can do the fix as a temporary change. I will commit this part. Thanks for your work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. Undefined behavior does not necessarily lead to incorrect behavior, but, if you enable undefined behavior detection in your fuzzing environment, having undefined behavior can cause so much noise that it can prevent you from discovering real problems via fuzzing.