diff options
| author | Tobias Klauser <tklauser@distanz.ch> | 2013-06-13 17:20:18 +0200 | 
|---|---|---|
| committer | Tobias Klauser <tklauser@distanz.ch> | 2013-06-13 17:20:18 +0200 | 
| commit | 8b8244232220aef30417b8bc712e45542f5504db (patch) | |
| tree | 61695b30a446fe47c9ffd2e11eae10b5036a2cf6 | |
| parent | 0cc5ca825656dbb2dc91fb130924abe66c97b254 (diff) | |
dissector: icmpv6: Fix possible null pointer dereferences
The Coverity scanner found several possible null pointer dereferences in
the ICMPv6 dissector. These are all related to not checking the return
value of pkt_pull(). Sometimes pkt_pull(()) is called iteratively based
on a length value in the encountered packet, so this could possibly be
hit in case an invalid packet is crafted accordingly.
Fix all by checking the return value of pkt_pull() consistently.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
| -rw-r--r-- | proto_icmpv6.c | 64 | 
1 files changed, 56 insertions, 8 deletions
| diff --git a/proto_icmpv6.c b/proto_icmpv6.c index 6b2d826..6eb7ae0 100644 --- a/proto_icmpv6.c +++ b/proto_icmpv6.c @@ -354,7 +354,15 @@ static int8_t dissect_icmpv6_mcast_rec(struct pkt_buff *pkt,  		tprintf(", Aux Data: ");  		while (aux_data_len_bytes--) { -			  tprintf("%x", *pkt_pull(pkt,1)); +			uint8_t *data = pkt_pull(pkt, 1); + +			if (data == NULL) { +				tprintf("%sINVALID%s", colorize_start_full(black, red), +					colorize_end()); +				return 0; +			} + +			tprintf("%x", *data);  		}  	} @@ -376,8 +384,16 @@ static int8_t dissect_neighb_disc_ops_1(struct pkt_buff *pkt,  	tprintf("Address 0x"); -	while(len--){ -		    tprintf("%x", *pkt_pull(pkt,1)); +	while (len--) { +		uint8_t *data = pkt_pull(pkt, 1); + +		if (data == NULL) { +			tprintf("%sINVALID%s", colorize_start_full(black, red), +				colorize_end()); +			return 0; +		} + +		tprintf("%x", *data);  	}  	return 1; @@ -438,7 +454,15 @@ static int8_t dissect_neighb_disc_ops_4(struct pkt_buff *pkt,  	tprintf("IP header + data ");  	while (len--) { -		    tprintf("%x", *pkt_pull(pkt,1)); +		uint8_t *data = pkt_pull(pkt, 1); + +		if (data == NULL) { +			tprintf("%sINVALID%s", colorize_start_full(black, red), +				colorize_end()); +			return 0; +		} + +		tprintf("%x", *data);  	}  	return 1; @@ -570,7 +594,15 @@ static int8_t dissect_neighb_disc_ops_16(struct pkt_buff *pkt,  	tprintf("Certificate + Padding (");  	while (len--) { -		    tprintf("%x", *pkt_pull(pkt,1)); +		uint8_t *data = pkt_pull(pkt, 1); + +		if (data == NULL) { +			tprintf("%sINVALID%s", colorize_start_full(black, red), +				colorize_end()); +			break; +		} + +		tprintf("%x", *data);  	}  	tprintf(") "); @@ -645,7 +677,15 @@ static int8_t dissect_neighb_disc_ops_17(struct pkt_buff *pkt,  		    tprintf("%s (", colorize_start_full(black, red)  			      "Error Wrong Length. Skip Option" colorize_end());  		    while (len--) { -				tprintf("%x", *pkt_pull(pkt,1)); +			uint8_t *data = pkt_pull(pkt, 1); + +			if (data == NULL) { +				tprintf("%sINVALID%s", colorize_start_full(black, red), +					colorize_end()); +				break; +			} + +			tprintf("%x", *data);  		    }  		    tprintf(") ");  	} @@ -689,8 +729,16 @@ static int8_t dissect_neighb_disc_ops_19(struct pkt_buff *pkt,  		icmp_neighb_disc_19->opt_code);  	tprintf("LLA ("); -	while(len--){ -		    tprintf("%x", *pkt_pull(pkt,1)); +	while(len--) { +		uint8_t *data = pkt_pull(pkt, 1); + +		if (data == NULL) { +			tprintf("%sINVALID%s", colorize_start_full(black, red), +				colorize_end()); +			return 0; +		} + +		tprintf("%x", *data);  	}  	tprintf(") "); | 
