diff options
author | Tobias Klauser <tklauser@distanz.ch> | 2013-06-13 17:20:18 +0200 |
---|---|---|
committer | Tobias Klauser <tklauser@distanz.ch> | 2013-06-13 17:20:18 +0200 |
commit | 8b8244232220aef30417b8bc712e45542f5504db (patch) | |
tree | 61695b30a446fe47c9ffd2e11eae10b5036a2cf6 | |
parent | 0cc5ca825656dbb2dc91fb130924abe66c97b254 (diff) |
dissector: icmpv6: Fix possible null pointer dereferences
The Coverity scanner found several possible null pointer dereferences in
the ICMPv6 dissector. These are all related to not checking the return
value of pkt_pull(). Sometimes pkt_pull(()) is called iteratively based
on a length value in the encountered packet, so this could possibly be
hit in case an invalid packet is crafted accordingly.
Fix all by checking the return value of pkt_pull() consistently.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
-rw-r--r-- | proto_icmpv6.c | 64 |
1 files changed, 56 insertions, 8 deletions
diff --git a/proto_icmpv6.c b/proto_icmpv6.c index 6b2d826..6eb7ae0 100644 --- a/proto_icmpv6.c +++ b/proto_icmpv6.c @@ -354,7 +354,15 @@ static int8_t dissect_icmpv6_mcast_rec(struct pkt_buff *pkt, tprintf(", Aux Data: "); while (aux_data_len_bytes--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } } @@ -376,8 +384,16 @@ static int8_t dissect_neighb_disc_ops_1(struct pkt_buff *pkt, tprintf("Address 0x"); - while(len--){ - tprintf("%x", *pkt_pull(pkt,1)); + while (len--) { + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } return 1; @@ -438,7 +454,15 @@ static int8_t dissect_neighb_disc_ops_4(struct pkt_buff *pkt, tprintf("IP header + data "); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } return 1; @@ -570,7 +594,15 @@ static int8_t dissect_neighb_disc_ops_16(struct pkt_buff *pkt, tprintf("Certificate + Padding ("); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + break; + } + + tprintf("%x", *data); } tprintf(") "); @@ -645,7 +677,15 @@ static int8_t dissect_neighb_disc_ops_17(struct pkt_buff *pkt, tprintf("%s (", colorize_start_full(black, red) "Error Wrong Length. Skip Option" colorize_end()); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + break; + } + + tprintf("%x", *data); } tprintf(") "); } @@ -689,8 +729,16 @@ static int8_t dissect_neighb_disc_ops_19(struct pkt_buff *pkt, icmp_neighb_disc_19->opt_code); tprintf("LLA ("); - while(len--){ - tprintf("%x", *pkt_pull(pkt,1)); + while(len--) { + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } tprintf(") "); |