From 8b8244232220aef30417b8bc712e45542f5504db Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Thu, 13 Jun 2013 17:20:18 +0200 Subject: dissector: icmpv6: Fix possible null pointer dereferences The Coverity scanner found several possible null pointer dereferences in the ICMPv6 dissector. These are all related to not checking the return value of pkt_pull(). Sometimes pkt_pull(()) is called iteratively based on a length value in the encountered packet, so this could possibly be hit in case an invalid packet is crafted accordingly. Fix all by checking the return value of pkt_pull() consistently. Signed-off-by: Tobias Klauser --- proto_icmpv6.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 8 deletions(-) diff --git a/proto_icmpv6.c b/proto_icmpv6.c index 6b2d826..6eb7ae0 100644 --- a/proto_icmpv6.c +++ b/proto_icmpv6.c @@ -354,7 +354,15 @@ static int8_t dissect_icmpv6_mcast_rec(struct pkt_buff *pkt, tprintf(", Aux Data: "); while (aux_data_len_bytes--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } } @@ -376,8 +384,16 @@ static int8_t dissect_neighb_disc_ops_1(struct pkt_buff *pkt, tprintf("Address 0x"); - while(len--){ - tprintf("%x", *pkt_pull(pkt,1)); + while (len--) { + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } return 1; @@ -438,7 +454,15 @@ static int8_t dissect_neighb_disc_ops_4(struct pkt_buff *pkt, tprintf("IP header + data "); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } return 1; @@ -570,7 +594,15 @@ static int8_t dissect_neighb_disc_ops_16(struct pkt_buff *pkt, tprintf("Certificate + Padding ("); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + break; + } + + tprintf("%x", *data); } tprintf(") "); @@ -645,7 +677,15 @@ static int8_t dissect_neighb_disc_ops_17(struct pkt_buff *pkt, tprintf("%s (", colorize_start_full(black, red) "Error Wrong Length. Skip Option" colorize_end()); while (len--) { - tprintf("%x", *pkt_pull(pkt,1)); + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + break; + } + + tprintf("%x", *data); } tprintf(") "); } @@ -689,8 +729,16 @@ static int8_t dissect_neighb_disc_ops_19(struct pkt_buff *pkt, icmp_neighb_disc_19->opt_code); tprintf("LLA ("); - while(len--){ - tprintf("%x", *pkt_pull(pkt,1)); + while(len--) { + uint8_t *data = pkt_pull(pkt, 1); + + if (data == NULL) { + tprintf("%sINVALID%s", colorize_start_full(black, red), + colorize_end()); + return 0; + } + + tprintf("%x", *data); } tprintf(") "); -- cgit v1.2.3-54-g00ecf