diff options
| author |   Jeroen Roovers <jer@gentoo.org> | 2015-01-07 16:23:14 +0000 |
|---|---|---|
| committer | Jeroen Roovers <jer@gentoo.org> | 2015-01-07 16:23:14 +0000 |
| commit | 36e415569d113384a3ffbcadaa0610feaf2c5001 (patch) | |
| tree | d8b412aa2d679d15dede9bc6a7724f04b6f49a1b /net-analyzer/tcpdump | |
| parent | Add 4.0.10.8 release. Remove old. (diff) | |
| download | gentoo-2-36e415569d113384a3ffbcadaa0610feaf2c5001.tar.gz gentoo-2-36e415569d113384a3ffbcadaa0610feaf2c5001.tar.bz2 gentoo-2-36e415569d113384a3ffbcadaa0610feaf2c5001.zip | |
Patches for multiple vulnerabilities (bug #534660).
(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key A792A613)
Diffstat (limited to 'net-analyzer/tcpdump')
| -rw-r--r-- | net-analyzer/tcpdump/ChangeLog | 11 | ||||
| -rw-r--r-- | net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8767.patch | 165 | ||||
| -rw-r--r-- | net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8768.patch | 327 | ||||
| -rw-r--r-- | net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8769.patch | 684 | ||||
| -rw-r--r-- | net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-9140.patch | 40 | ||||
| -rw-r--r-- | net-analyzer/tcpdump/tcpdump-4.6.2-r1.ebuild | 97 |
6 files changed, 1323 insertions, 1 deletions
diff --git a/net-analyzer/tcpdump/ChangeLog b/net-analyzer/tcpdump/ChangeLog index d9989f29fa65..221cc622d0cd 100644 --- a/net-analyzer/tcpdump/ChangeLog +++ b/net-analyzer/tcpdump/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for net-analyzer/tcpdump # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/ChangeLog,v 1.199 2015/01/07 16:08:40 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/ChangeLog,v 1.200 2015/01/07 16:23:14 jer Exp $ + +*tcpdump-4.6.2-r1 (07 Jan 2015) + + 07 Jan 2015; Jeroen Roovers <jer@gentoo.org> +tcpdump-4.6.2-r1.ebuild, + +files/tcpdump-4.6.2-CVE-2014-8767.patch, + +files/tcpdump-4.6.2-CVE-2014-8768.patch, + +files/tcpdump-4.6.2-CVE-2014-8769.patch, + +files/tcpdump-4.6.2-CVE-2014-9140.patch: + Patches for multiple vulnerabilities (bug #534660). *tcpdump-9999 (07 Jan 2015) diff --git a/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8767.patch b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8767.patch new file mode 100644 index 000000000000..c3ac0ea21b7b --- /dev/null +++ b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8767.patch @@ -0,0 +1,165 @@ +--- a/print-olsr.c ++++ b/print-olsr.c +@@ -178,7 +178,7 @@ struct olsr_lq_neighbor6 { + /* + * print a neighbor list with LQ extensions. + */ +-static void ++static int + olsr_print_lq_neighbor4(netdissect_options *ndo, + const u_char *msg_data, u_int hello_len) + { +@@ -187,6 +187,8 @@ olsr_print_lq_neighbor4(netdissect_options *ndo, + while (hello_len >= sizeof(struct olsr_lq_neighbor4)) { + + lq_neighbor = (struct olsr_lq_neighbor4 *)msg_data; ++ if (!ND_TTEST(*lq_neighbor)) ++ return (-1); + + ND_PRINT((ndo, "\n\t neighbor %s, link-quality %.2lf%%" + ", neighbor-link-quality %.2lf%%", +@@ -197,10 +199,11 @@ olsr_print_lq_neighbor4(netdissect_options *ndo, + msg_data += sizeof(struct olsr_lq_neighbor4); + hello_len -= sizeof(struct olsr_lq_neighbor4); + } ++ return (0); + } + + #if INET6 +-static void ++static int + olsr_print_lq_neighbor6(netdissect_options *ndo, + const u_char *msg_data, u_int hello_len) + { +@@ -209,6 +212,8 @@ olsr_print_lq_neighbor6(netdissect_options *ndo, + while (hello_len >= sizeof(struct olsr_lq_neighbor6)) { + + lq_neighbor = (struct olsr_lq_neighbor6 *)msg_data; ++ if (!ND_TTEST(*lq_neighbor)) ++ return (-1); + + ND_PRINT((ndo, "\n\t neighbor %s, link-quality %.2lf%%" + ", neighbor-link-quality %.2lf%%", +@@ -219,13 +224,14 @@ olsr_print_lq_neighbor6(netdissect_options *ndo, + msg_data += sizeof(struct olsr_lq_neighbor6); + hello_len -= sizeof(struct olsr_lq_neighbor6); + } ++ return (0); + } + #endif /* INET6 */ + + /* + * print a neighbor list. + */ +-static void ++static int + olsr_print_neighbor(netdissect_options *ndo, + const u_char *msg_data, u_int hello_len) + { +@@ -236,6 +242,8 @@ olsr_print_neighbor(netdissect_options *ndo, + + while (hello_len >= sizeof(struct in_addr)) { + ++ if (!ND_TTEST2(*msg_data, sizeof(struct in_addr))) ++ return (-1); + /* print 4 neighbors per line */ + + ND_PRINT((ndo, "%s%s", ipaddr_string(ndo, msg_data), +@@ -244,6 +252,7 @@ olsr_print_neighbor(netdissect_options *ndo, + msg_data += sizeof(struct in_addr); + hello_len -= sizeof(struct in_addr); + } ++ return (0); + } + + +@@ -326,6 +335,9 @@ olsr_print(netdissect_options *ndo, + ME_TO_DOUBLE(msgptr.v6->vtime), + EXTRACT_16BITS(msgptr.v6->msg_seq), + msg_len, (msg_len_valid == 0) ? " (invalid)" : "")); ++ if (!msg_len_valid) { ++ return; ++ } + + msg_tlen = msg_len - sizeof(struct olsr_msg6); + msg_data = tptr + sizeof(struct olsr_msg6); +@@ -354,6 +366,9 @@ olsr_print(netdissect_options *ndo, + ME_TO_DOUBLE(msgptr.v4->vtime), + EXTRACT_16BITS(msgptr.v4->msg_seq), + msg_len, (msg_len_valid == 0) ? " (invalid)" : "")); ++ if (!msg_len_valid) { ++ return; ++ } + + msg_tlen = msg_len - sizeof(struct olsr_msg4); + msg_data = tptr + sizeof(struct olsr_msg4); +@@ -362,6 +377,8 @@ olsr_print(netdissect_options *ndo, + switch (msg_type) { + case OLSR_HELLO_MSG: + case OLSR_HELLO_LQ_MSG: ++ if (msg_tlen < sizeof(struct olsr_hello)) ++ goto trunc; + ND_TCHECK2(*msg_data, sizeof(struct olsr_hello)); + + ptr.hello = (struct olsr_hello *)msg_data; +@@ -401,15 +418,21 @@ olsr_print(netdissect_options *ndo, + msg_tlen -= sizeof(struct olsr_hello_link); + hello_len -= sizeof(struct olsr_hello_link); + ++ ND_TCHECK2(*msg_data, hello_len); + if (msg_type == OLSR_HELLO_MSG) { +- olsr_print_neighbor(ndo, msg_data, hello_len); ++ if (olsr_print_neighbor(ndo, msg_data, hello_len) == -1) ++ goto trunc; + } else { + #if INET6 +- if (is_ipv6) +- olsr_print_lq_neighbor6(ndo, msg_data, hello_len); +- else ++ if (is_ipv6) { ++ if (olsr_print_lq_neighbor6(ndo, msg_data, hello_len) == -1) ++ goto trunc; ++ } else + #endif +- olsr_print_lq_neighbor4(ndo, msg_data, hello_len); ++ { ++ if (olsr_print_lq_neighbor4(ndo, msg_data, hello_len) == -1) ++ goto trunc; ++ } + } + + msg_data += hello_len; +@@ -419,6 +442,8 @@ olsr_print(netdissect_options *ndo, + + case OLSR_TC_MSG: + case OLSR_TC_LQ_MSG: ++ if (msg_tlen < sizeof(struct olsr_tc)) ++ goto trunc; + ND_TCHECK2(*msg_data, sizeof(struct olsr_tc)); + + ptr.tc = (struct olsr_tc *)msg_data; +@@ -428,14 +453,19 @@ olsr_print(netdissect_options *ndo, + msg_tlen -= sizeof(struct olsr_tc); + + if (msg_type == OLSR_TC_MSG) { +- olsr_print_neighbor(ndo, msg_data, msg_tlen); ++ if (olsr_print_neighbor(ndo, msg_data, msg_tlen) == -1) ++ goto trunc; + } else { + #if INET6 +- if (is_ipv6) +- olsr_print_lq_neighbor6(ndo, msg_data, msg_tlen); +- else ++ if (is_ipv6) { ++ if (olsr_print_lq_neighbor6(ndo, msg_data, msg_tlen) == -1) ++ goto trunc; ++ } else + #endif +- olsr_print_lq_neighbor4(ndo, msg_data, msg_tlen); ++ { ++ if (olsr_print_lq_neighbor4(ndo, msg_data, msg_tlen) == -1) ++ goto trunc; ++ } + } + break; + diff --git a/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8768.patch b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8768.patch new file mode 100644 index 000000000000..7f6fd70c7860 --- /dev/null +++ b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8768.patch @@ -0,0 +1,327 @@ +--- a/print-geonet.c ++++ b/print-geonet.c +@@ -56,16 +56,12 @@ static const struct tok msg_type_values[] = { + + static void + print_btp_body(netdissect_options *ndo, +- const u_char *bp, u_int length) ++ const u_char *bp) + { + int version; + int msg_type; + const char *msg_type_str; + +- if (length <= 2) { +- return; +- } +- + /* Assuming ItsDpuHeader */ + version = bp[0]; + msg_type = bp[1]; +@@ -83,7 +79,7 @@ print_btp(netdissect_options *ndo, + ND_PRINT((ndo, "; BTP Dst:%u Src:%u", dest, src)); + } + +-static void ++static int + print_long_pos_vector(netdissect_options *ndo, + const u_char *bp) + { +@@ -91,10 +87,13 @@ print_long_pos_vector(netdissect_options *ndo, + + ND_PRINT((ndo, "GN_ADDR:%s ", linkaddr_string (ndo, bp, 0, GEONET_ADDR_LEN))); + ++ if (!ND_TTEST2(*(bp+12), 8)) ++ return (-1); + lat = EXTRACT_32BITS(bp+12); + ND_PRINT((ndo, "lat:%d ", lat)); + lon = EXTRACT_32BITS(bp+16); + ND_PRINT((ndo, "lon:%d", lon)); ++ return (0); + } + + +@@ -105,137 +104,170 @@ print_long_pos_vector(netdissect_options *ndo, + void + geonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length) + { ++ int version; ++ int next_hdr; ++ int hdr_type; ++ int hdr_subtype; ++ uint16_t payload_length; ++ int hop_limit; ++ const char *next_hdr_txt = "Unknown"; ++ const char *hdr_type_txt = "Unknown"; ++ int hdr_size = -1; ++ + ND_PRINT((ndo, "GeoNet src:%s; ", etheraddr_string(ndo, eth+6))); + +- if (length >= 36) { +- /* Process Common Header */ +- int version = bp[0] >> 4; +- int next_hdr = bp[0] & 0x0f; +- int hdr_type = bp[1] >> 4; +- int hdr_subtype = bp[1] & 0x0f; +- uint16_t payload_length = EXTRACT_16BITS(bp+4); +- int hop_limit = bp[7]; +- const char *next_hdr_txt = "Unknown"; +- const char *hdr_type_txt = "Unknown"; +- int hdr_size = -1; ++ /* Process Common Header */ ++ if (length < 36) ++ goto malformed; ++ ++ ND_TCHECK2(*bp, 7); ++ version = bp[0] >> 4; ++ next_hdr = bp[0] & 0x0f; ++ hdr_type = bp[1] >> 4; ++ hdr_subtype = bp[1] & 0x0f; ++ payload_length = EXTRACT_16BITS(bp+4); ++ hop_limit = bp[7]; + +- switch (next_hdr) { +- case 0: next_hdr_txt = "Any"; break; +- case 1: next_hdr_txt = "BTP-A"; break; +- case 2: next_hdr_txt = "BTP-B"; break; +- case 3: next_hdr_txt = "IPv6"; break; +- } ++ switch (next_hdr) { ++ case 0: next_hdr_txt = "Any"; break; ++ case 1: next_hdr_txt = "BTP-A"; break; ++ case 2: next_hdr_txt = "BTP-B"; break; ++ case 3: next_hdr_txt = "IPv6"; break; ++ } + +- switch (hdr_type) { +- case 0: hdr_type_txt = "Any"; break; +- case 1: hdr_type_txt = "Beacon"; break; +- case 2: hdr_type_txt = "GeoUnicast"; break; +- case 3: switch (hdr_subtype) { +- case 0: hdr_type_txt = "GeoAnycastCircle"; break; +- case 1: hdr_type_txt = "GeoAnycastRect"; break; +- case 2: hdr_type_txt = "GeoAnycastElipse"; break; +- } +- break; +- case 4: switch (hdr_subtype) { +- case 0: hdr_type_txt = "GeoBroadcastCircle"; break; +- case 1: hdr_type_txt = "GeoBroadcastRect"; break; +- case 2: hdr_type_txt = "GeoBroadcastElipse"; break; +- } +- break; +- case 5: switch (hdr_subtype) { +- case 0: hdr_type_txt = "TopoScopeBcast-SH"; break; +- case 1: hdr_type_txt = "TopoScopeBcast-MH"; break; +- } +- break; +- case 6: switch (hdr_subtype) { +- case 0: hdr_type_txt = "LocService-Request"; break; +- case 1: hdr_type_txt = "LocService-Reply"; break; +- } +- break; +- } ++ switch (hdr_type) { ++ case 0: hdr_type_txt = "Any"; break; ++ case 1: hdr_type_txt = "Beacon"; break; ++ case 2: hdr_type_txt = "GeoUnicast"; break; ++ case 3: switch (hdr_subtype) { ++ case 0: hdr_type_txt = "GeoAnycastCircle"; break; ++ case 1: hdr_type_txt = "GeoAnycastRect"; break; ++ case 2: hdr_type_txt = "GeoAnycastElipse"; break; ++ } ++ break; ++ case 4: switch (hdr_subtype) { ++ case 0: hdr_type_txt = "GeoBroadcastCircle"; break; ++ case 1: hdr_type_txt = "GeoBroadcastRect"; break; ++ case 2: hdr_type_txt = "GeoBroadcastElipse"; break; ++ } ++ break; ++ case 5: switch (hdr_subtype) { ++ case 0: hdr_type_txt = "TopoScopeBcast-SH"; break; ++ case 1: hdr_type_txt = "TopoScopeBcast-MH"; break; ++ } ++ break; ++ case 6: switch (hdr_subtype) { ++ case 0: hdr_type_txt = "LocService-Request"; break; ++ case 1: hdr_type_txt = "LocService-Reply"; break; ++ } ++ break; ++ } ++ ++ ND_PRINT((ndo, "v:%d ", version)); ++ ND_PRINT((ndo, "NH:%d-%s ", next_hdr, next_hdr_txt)); ++ ND_PRINT((ndo, "HT:%d-%d-%s ", hdr_type, hdr_subtype, hdr_type_txt)); ++ ND_PRINT((ndo, "HopLim:%d ", hop_limit)); ++ ND_PRINT((ndo, "Payload:%d ", payload_length)); ++ if (print_long_pos_vector(ndo, bp + 8) == -1) ++ goto trunc; + +- ND_PRINT((ndo, "v:%d ", version)); +- ND_PRINT((ndo, "NH:%d-%s ", next_hdr, next_hdr_txt)); +- ND_PRINT((ndo, "HT:%d-%d-%s ", hdr_type, hdr_subtype, hdr_type_txt)); +- ND_PRINT((ndo, "HopLim:%d ", hop_limit)); +- ND_PRINT((ndo, "Payload:%d ", payload_length)); +- print_long_pos_vector(ndo, bp + 8); ++ /* Skip Common Header */ ++ length -= 36; ++ bp += 36; + +- /* Skip Common Header */ +- length -= 36; +- bp += 36; ++ /* Process Extended Headers */ ++ switch (hdr_type) { ++ case 0: /* Any */ ++ hdr_size = 0; ++ break; ++ case 1: /* Beacon */ ++ hdr_size = 0; ++ break; ++ case 2: /* GeoUnicast */ ++ break; ++ case 3: switch (hdr_subtype) { ++ case 0: /* GeoAnycastCircle */ ++ break; ++ case 1: /* GeoAnycastRect */ ++ break; ++ case 2: /* GeoAnycastElipse */ ++ break; ++ } ++ break; ++ case 4: switch (hdr_subtype) { ++ case 0: /* GeoBroadcastCircle */ ++ break; ++ case 1: /* GeoBroadcastRect */ ++ break; ++ case 2: /* GeoBroadcastElipse */ ++ break; ++ } ++ break; ++ case 5: switch (hdr_subtype) { ++ case 0: /* TopoScopeBcast-SH */ ++ hdr_size = 0; ++ break; ++ case 1: /* TopoScopeBcast-MH */ ++ hdr_size = 68 - 36; ++ break; ++ } ++ break; ++ case 6: switch (hdr_subtype) { ++ case 0: /* LocService-Request */ ++ break; ++ case 1: /* LocService-Reply */ ++ break; ++ } ++ break; ++ } + +- /* Process Extended Headers */ +- switch (hdr_type) { ++ /* Skip Extended headers */ ++ if (hdr_size >= 0) { ++ if (length < (u_int)hdr_size) ++ goto malformed; ++ ND_TCHECK2(*bp, hdr_size); ++ length -= hdr_size; ++ bp += hdr_size; ++ switch (next_hdr) { + case 0: /* Any */ +- hdr_size = 0; +- break; +- case 1: /* Beacon */ +- hdr_size = 0; +- break; +- case 2: /* GeoUnicast */ + break; +- case 3: switch (hdr_subtype) { +- case 0: /* GeoAnycastCircle */ +- break; +- case 1: /* GeoAnycastRect */ +- break; +- case 2: /* GeoAnycastElipse */ +- break; ++ case 1: ++ case 2: /* BTP A/B */ ++ if (length < 4) ++ goto malformed; ++ ND_TCHECK2(*bp, 4); ++ print_btp(ndo, bp); ++ length -= 4; ++ bp += 4; ++ if (length >= 2) { ++ /* ++ * XXX - did print_btp_body() ++ * return if length < 2 ++ * because this is optional, ++ * or was that just not ++ * reporting genuine errors? ++ */ ++ ND_TCHECK2(*bp, 2); ++ print_btp_body(ndo, bp); + } + break; +- case 4: switch (hdr_subtype) { +- case 0: /* GeoBroadcastCircle */ +- break; +- case 1: /* GeoBroadcastRect */ +- break; +- case 2: /* GeoBroadcastElipse */ +- break; +- } +- break; +- case 5: switch (hdr_subtype) { +- case 0: /* TopoScopeBcast-SH */ +- hdr_size = 0; +- break; +- case 1: /* TopoScopeBcast-MH */ +- hdr_size = 68 - 36; +- break; +- } +- break; +- case 6: switch (hdr_subtype) { +- case 0: /* LocService-Request */ +- break; +- case 1: /* LocService-Reply */ +- break; +- } ++ case 3: /* IPv6 */ + break; + } +- +- /* Skip Extended headers */ +- if (hdr_size >= 0) { +- length -= hdr_size; +- bp += hdr_size; +- switch (next_hdr) { +- case 0: /* Any */ +- break; +- case 1: +- case 2: /* BTP A/B */ +- print_btp(ndo, bp); +- length -= 4; +- bp += 4; +- print_btp_body(ndo, bp, length); +- break; +- case 3: /* IPv6 */ +- break; +- } +- } +- } else { +- ND_PRINT((ndo, "Malformed (small) ")); + } + + /* Print user data part */ + if (ndo->ndo_vflag) + ND_DEFAULTPRINT(bp, length); ++ return; ++ ++malformed: ++ ND_PRINT((ndo, " Malformed (small) ")); ++ /* XXX - print the remaining data as hex? */ ++ return; ++ ++trunc: ++ ND_PRINT((ndo, "[|geonet]")); + } + + diff --git a/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8769.patch b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8769.patch new file mode 100644 index 000000000000..4d44be5349ac --- /dev/null +++ b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-8769.patch @@ -0,0 +1,684 @@ +--- a/print-aodv.c ++++ b/print-aodv.c +@@ -37,9 +37,6 @@ + + #include <tcpdump-stdinc.h> + +-/* for offsetof */ +-#include <stddef.h> +- + #include "interface.h" + #include "addrtoname.h" + #include "extract.h" /* must come after interface.h */ +@@ -146,13 +143,6 @@ struct aodv_rerr { + uint8_t rerr_flags; /* various flags */ + uint8_t rerr_zero0; /* reserved, set to zero */ + uint8_t rerr_dc; /* destination count */ +- union { +- struct rerr_unreach dest[1]; +-#ifdef INET6 +- struct rerr_unreach6 dest6[1]; +- struct rerr_unreach6_draft_01 dest6_draft_01[1]; +-#endif +- } r; + }; + + #define RERR_NODELETE 0x80 /* don't delete the link */ +@@ -163,19 +153,6 @@ struct aodv_rrep_ack { + uint8_t ra_zero0; + }; + +-union aodv { +- struct aodv_rreq rreq; +- struct aodv_rrep rrep; +- struct aodv_rerr rerr; +- struct aodv_rrep_ack rrep_ack; +-#ifdef INET6 +- struct aodv_rreq6 rreq6; +- struct aodv_rreq6_draft_01 rreq6_draft_01; +- struct aodv_rrep6 rrep6; +- struct aodv_rrep6_draft_01 rrep6_draft_01; +-#endif +-}; +- + #define AODV_RREQ 1 /* route request */ + #define AODV_RREP 2 /* route response */ + #define AODV_RERR 3 /* error report */ +@@ -204,22 +181,14 @@ static void + aodv_extension(netdissect_options *ndo, + const struct aodv_ext *ep, u_int length) + { +- u_int i; + const struct aodv_hello *ah; + + switch (ep->type) { + case AODV_EXT_HELLO: +- if (ndo->ndo_snapend < (u_char *) ep) { +- ND_PRINT((ndo, " [|hello]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - (u_char *)ep)); +- if (i < sizeof(struct aodv_hello)) { +- ND_PRINT((ndo, " [|hello]")); +- return; +- } +- i -= sizeof(struct aodv_hello); +- ah = (void *)ep; ++ ah = (const struct aodv_hello *)(const void *)ep; ++ ND_TCHECK(*ah); ++ if (length < sizeof(struct aodv_hello)) ++ goto trunc; + ND_PRINT((ndo, "\n\text HELLO %ld ms", + (unsigned long)EXTRACT_32BITS(&ah->interval))); + break; +@@ -228,141 +197,135 @@ aodv_extension(netdissect_options *ndo, + ND_PRINT((ndo, "\n\text %u %u", ep->type, ep->length)); + break; + } ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|hello]")); + } + + static void +-aodv_rreq(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_rreq(netdissect_options *ndo, const u_char *dat, u_int length) + { + u_int i; ++ const struct aodv_rreq *ap = (const struct aodv_rreq *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rreq)) { +- ND_PRINT((ndo, " [|rreq]")); +- return; +- } +- i -= sizeof(ap->rreq); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rreq %u %s%s%s%s%shops %u id 0x%08lx\n" + "\tdst %s seq %lu src %s seq %lu", length, +- ap->rreq.rreq_type & RREQ_JOIN ? "[J]" : "", +- ap->rreq.rreq_type & RREQ_REPAIR ? "[R]" : "", +- ap->rreq.rreq_type & RREQ_GRAT ? "[G]" : "", +- ap->rreq.rreq_type & RREQ_DEST ? "[D]" : "", +- ap->rreq.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", +- ap->rreq.rreq_hops, +- (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_id), +- ipaddr_string(ndo, &ap->rreq.rreq_da), +- (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_ds), +- ipaddr_string(ndo, &ap->rreq.rreq_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rreq.rreq_os))); ++ ap->rreq_type & RREQ_JOIN ? "[J]" : "", ++ ap->rreq_type & RREQ_REPAIR ? "[R]" : "", ++ ap->rreq_type & RREQ_GRAT ? "[G]" : "", ++ ap->rreq_type & RREQ_DEST ? "[D]" : "", ++ ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", ++ ap->rreq_hops, ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_id), ++ ipaddr_string(ndo, &ap->rreq_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), ++ ipaddr_string(ndo, &ap->rreq_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_os))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rreq + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + } + + static void +-aodv_rrep(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_rrep(netdissect_options *ndo, const u_char *dat, u_int length) + { + u_int i; ++ const struct aodv_rrep *ap = (const struct aodv_rrep *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rrep)) { +- ND_PRINT((ndo, " [|rrep]")); +- return; +- } +- i -= sizeof(ap->rrep); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n" + "\tdst %s dseq %lu src %s %lu ms", length, +- ap->rrep.rrep_type & RREP_REPAIR ? "[R]" : "", +- ap->rrep.rrep_type & RREP_ACK ? "[A] " : " ", +- ap->rrep.rrep_ps & RREP_PREFIX_MASK, +- ap->rrep.rrep_hops, +- ipaddr_string(ndo, &ap->rrep.rrep_da), +- (unsigned long)EXTRACT_32BITS(&ap->rrep.rrep_ds), +- ipaddr_string(ndo, &ap->rrep.rrep_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rrep.rrep_life))); ++ ap->rrep_type & RREP_REPAIR ? "[R]" : "", ++ ap->rrep_type & RREP_ACK ? "[A] " : " ", ++ ap->rrep_ps & RREP_PREFIX_MASK, ++ ap->rrep_hops, ++ ipaddr_string(ndo, &ap->rrep_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), ++ ipaddr_string(ndo, &ap->rrep_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_life))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rrep + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + } + + static void +-aodv_rerr(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_rerr(netdissect_options *ndo, const u_char *dat, u_int length) + { +- u_int i; +- const struct rerr_unreach *dp = NULL; +- int n, trunc; ++ u_int i, dc; ++ const struct aodv_rerr *ap = (const struct aodv_rerr *)dat; ++ const struct rerr_unreach *dp; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < offsetof(struct aodv_rerr, r)) { +- ND_PRINT((ndo, " [|rerr]")); +- return; +- } +- i -= offsetof(struct aodv_rerr, r); +- dp = &ap->rerr.r.dest[0]; +- n = ap->rerr.rerr_dc * sizeof(ap->rerr.r.dest[0]); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rerr %s [items %u] [%u]:", +- ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", +- ap->rerr.rerr_dc, length)); +- trunc = n - (i/sizeof(ap->rerr.r.dest[0])); +- for (; i >= sizeof(ap->rerr.r.dest[0]); +- ++dp, i -= sizeof(ap->rerr.r.dest[0])) { ++ ap->rerr_flags & RERR_NODELETE ? "[D]" : "", ++ ap->rerr_dc, length)); ++ dp = (struct rerr_unreach *)(dat + sizeof(*ap)); ++ i = length - sizeof(*ap); ++ for (dc = ap->rerr_dc; dc != 0; dc--) { ++ ND_TCHECK(*dp); ++ if (i < sizeof(*dp)) ++ goto trunc; + ND_PRINT((ndo, " {%s}(%ld)", ipaddr_string(ndo, &dp->u_da), + (unsigned long)EXTRACT_32BITS(&dp->u_ds))); ++ dp++; ++ i -= sizeof(*dp); + } +- if (trunc) +- ND_PRINT((ndo, "[|rerr]")); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, "[|rerr]")); + } + + static void + #ifdef INET6 +-aodv_v6_rreq(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_v6_rreq(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_rreq(netdissect_options *ndo, +- const union aodv *ap _U_, const u_char *dat _U_, u_int length) ++aodv_v6_rreq(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 + u_int i; ++ const struct aodv_rreq6 *ap = (const struct aodv_rreq6 *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rreq6)) { +- ND_PRINT((ndo, " [|rreq6]")); +- return; +- } +- i -= sizeof(ap->rreq6); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " v6 rreq %u %s%s%s%s%shops %u id 0x%08lx\n" + "\tdst %s seq %lu src %s seq %lu", length, +- ap->rreq6.rreq_type & RREQ_JOIN ? "[J]" : "", +- ap->rreq6.rreq_type & RREQ_REPAIR ? "[R]" : "", +- ap->rreq6.rreq_type & RREQ_GRAT ? "[G]" : "", +- ap->rreq6.rreq_type & RREQ_DEST ? "[D]" : "", +- ap->rreq6.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", +- ap->rreq6.rreq_hops, +- (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_id), +- ip6addr_string(ndo, &ap->rreq6.rreq_da), +- (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_ds), +- ip6addr_string(ndo, &ap->rreq6.rreq_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rreq6.rreq_os))); ++ ap->rreq_type & RREQ_JOIN ? "[J]" : "", ++ ap->rreq_type & RREQ_REPAIR ? "[R]" : "", ++ ap->rreq_type & RREQ_GRAT ? "[G]" : "", ++ ap->rreq_type & RREQ_DEST ? "[D]" : "", ++ ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", ++ ap->rreq_hops, ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_id), ++ ip6addr_string(ndo, &ap->rreq_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), ++ ip6addr_string(ndo, &ap->rreq_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_os))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rreq6 + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + #else + ND_PRINT((ndo, " v6 rreq %u", length)); + #endif +@@ -370,38 +333,35 @@ aodv_v6_rreq(netdissect_options *ndo, + + static void + #ifdef INET6 +-aodv_v6_rrep(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_v6_rrep(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_rrep(netdissect_options *ndo, +- const union aodv *ap _U_, const u_char *dat _U_, u_int length) ++aodv_v6_rrep(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 + u_int i; ++ const struct aodv_rrep6 *ap = (const struct aodv_rrep6 *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rrep6)) { +- ND_PRINT((ndo, " [|rrep6]")); +- return; +- } +- i -= sizeof(ap->rrep6); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n" + "\tdst %s dseq %lu src %s %lu ms", length, +- ap->rrep6.rrep_type & RREP_REPAIR ? "[R]" : "", +- ap->rrep6.rrep_type & RREP_ACK ? "[A] " : " ", +- ap->rrep6.rrep_ps & RREP_PREFIX_MASK, +- ap->rrep6.rrep_hops, +- ip6addr_string(ndo, &ap->rrep6.rrep_da), +- (unsigned long)EXTRACT_32BITS(&ap->rrep6.rrep_ds), +- ip6addr_string(ndo, &ap->rrep6.rrep_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rrep6.rrep_life))); ++ ap->rrep_type & RREP_REPAIR ? "[R]" : "", ++ ap->rrep_type & RREP_ACK ? "[A] " : " ", ++ ap->rrep_ps & RREP_PREFIX_MASK, ++ ap->rrep_hops, ++ ip6addr_string(ndo, &ap->rrep_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), ++ ip6addr_string(ndo, &ap->rrep_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_life))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rrep6 + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + #else + ND_PRINT((ndo, " rrep %u", length)); + #endif +@@ -409,31 +369,37 @@ aodv_v6_rrep(netdissect_options *ndo, + + static void + #ifdef INET6 +-aodv_v6_rerr(netdissect_options *ndo, +- const union aodv *ap, u_int length) ++aodv_v6_rerr(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_rerr(netdissect_options *ndo, +- const union aodv *ap _U_, u_int length) ++aodv_v6_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 +- const struct rerr_unreach6 *dp6 = NULL; +- int i, j, n, trunc; ++ u_int i, dc; ++ const struct aodv_rerr *ap = (const struct aodv_rerr *)dat; ++ const struct rerr_unreach6 *dp6; + +- i = length - offsetof(struct aodv_rerr, r); +- j = sizeof(ap->rerr.r.dest6[0]); +- dp6 = &ap->rerr.r.dest6[0]; +- n = ap->rerr.rerr_dc * j; ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rerr %s [items %u] [%u]:", +- ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", +- ap->rerr.rerr_dc, length)); +- trunc = n - (i/j); +- for (; i -= j >= 0; ++dp6) { ++ ap->rerr_flags & RERR_NODELETE ? "[D]" : "", ++ ap->rerr_dc, length)); ++ dp6 = (struct rerr_unreach6 *)(void *)(ap + 1); ++ i = length - sizeof(*ap); ++ for (dc = ap->rerr_dc; dc != 0; dc--) { ++ ND_TCHECK(*dp6); ++ if (i < sizeof(*dp6)) ++ goto trunc; + ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da), + (unsigned long)EXTRACT_32BITS(&dp6->u_ds))); ++ dp6++; ++ i -= sizeof(*dp6); + } +- if (trunc) +- ND_PRINT((ndo, "[|rerr]")); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, "[|rerr]")); + #else + ND_PRINT((ndo, " rerr %u", length)); + #endif +@@ -441,42 +407,38 @@ aodv_v6_rerr(netdissect_options *ndo, + + static void + #ifdef INET6 +-aodv_v6_draft_01_rreq(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_v6_draft_01_rreq(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_draft_01_rreq(netdissect_options *ndo, +- const union aodv *ap _U_, const u_char *dat _U_, +- u_int length) ++aodv_v6_draft_01_rreq(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 + u_int i; ++ const struct aodv_rreq6_draft_01 *ap = (const struct aodv_rreq6_draft_01 *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rreq6_draft_01)) { +- ND_PRINT((ndo, " [|rreq6]")); +- return; +- } +- i -= sizeof(ap->rreq6_draft_01); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rreq %u %s%s%s%s%shops %u id 0x%08lx\n" + "\tdst %s seq %lu src %s seq %lu", length, +- ap->rreq6_draft_01.rreq_type & RREQ_JOIN ? "[J]" : "", +- ap->rreq6_draft_01.rreq_type & RREQ_REPAIR ? "[R]" : "", +- ap->rreq6_draft_01.rreq_type & RREQ_GRAT ? "[G]" : "", +- ap->rreq6_draft_01.rreq_type & RREQ_DEST ? "[D]" : "", +- ap->rreq6_draft_01.rreq_type & RREQ_UNKNOWN ? "[U] " : " ", +- ap->rreq6_draft_01.rreq_hops, +- (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_id), +- ip6addr_string(ndo, &ap->rreq6_draft_01.rreq_da), +- (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_ds), +- ip6addr_string(ndo, &ap->rreq6_draft_01.rreq_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rreq6_draft_01.rreq_os))); ++ ap->rreq_type & RREQ_JOIN ? "[J]" : "", ++ ap->rreq_type & RREQ_REPAIR ? "[R]" : "", ++ ap->rreq_type & RREQ_GRAT ? "[G]" : "", ++ ap->rreq_type & RREQ_DEST ? "[D]" : "", ++ ap->rreq_type & RREQ_UNKNOWN ? "[U] " : " ", ++ ap->rreq_hops, ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_id), ++ ip6addr_string(ndo, &ap->rreq_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_ds), ++ ip6addr_string(ndo, &ap->rreq_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rreq_os))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rreq6_draft_01 + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + #else + ND_PRINT((ndo, " rreq %u", length)); + #endif +@@ -484,39 +446,35 @@ aodv_v6_draft_01_rreq(netdissect_options *ndo, + + static void + #ifdef INET6 +-aodv_v6_draft_01_rrep(netdissect_options *ndo, +- const union aodv *ap, const u_char *dat, u_int length) ++aodv_v6_draft_01_rrep(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_draft_01_rrep(netdissect_options *ndo, +- const union aodv *ap _U_, const u_char *dat _U_, +- u_int length) ++aodv_v6_draft_01_rrep(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 + u_int i; ++ const struct aodv_rrep6_draft_01 *ap = (const struct aodv_rrep6_draft_01 *)dat; + +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- i = min(length, (u_int)(ndo->ndo_snapend - dat)); +- if (i < sizeof(ap->rrep6_draft_01)) { +- ND_PRINT((ndo, " [|rrep6]")); +- return; +- } +- i -= sizeof(ap->rrep6_draft_01); ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n" + "\tdst %s dseq %lu src %s %lu ms", length, +- ap->rrep6_draft_01.rrep_type & RREP_REPAIR ? "[R]" : "", +- ap->rrep6_draft_01.rrep_type & RREP_ACK ? "[A] " : " ", +- ap->rrep6_draft_01.rrep_ps & RREP_PREFIX_MASK, +- ap->rrep6_draft_01.rrep_hops, +- ip6addr_string(ndo, &ap->rrep6_draft_01.rrep_da), +- (unsigned long)EXTRACT_32BITS(&ap->rrep6_draft_01.rrep_ds), +- ip6addr_string(ndo, &ap->rrep6_draft_01.rrep_oa), +- (unsigned long)EXTRACT_32BITS(&ap->rrep6_draft_01.rrep_life))); ++ ap->rrep_type & RREP_REPAIR ? "[R]" : "", ++ ap->rrep_type & RREP_ACK ? "[A] " : " ", ++ ap->rrep_ps & RREP_PREFIX_MASK, ++ ap->rrep_hops, ++ ip6addr_string(ndo, &ap->rrep_da), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_ds), ++ ip6addr_string(ndo, &ap->rrep_oa), ++ (unsigned long)EXTRACT_32BITS(&ap->rrep_life))); ++ i = length - sizeof(*ap); + if (i >= sizeof(struct aodv_ext)) +- aodv_extension(ndo, (void *)(&ap->rrep6_draft_01 + 1), i); ++ aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|rreq")); + #else + ND_PRINT((ndo, " rrep %u", length)); + #endif +@@ -524,31 +482,37 @@ aodv_v6_draft_01_rrep(netdissect_options *ndo, + + static void + #ifdef INET6 +-aodv_v6_draft_01_rerr(netdissect_options *ndo, +- const union aodv *ap, u_int length) ++aodv_v6_draft_01_rerr(netdissect_options *ndo, const u_char *dat, u_int length) + #else +-aodv_v6_draft_01_rerr(netdissect_options *ndo, +- const union aodv *ap _U_, u_int length) ++aodv_v6_draft_01_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int length) + #endif + { + #ifdef INET6 +- const struct rerr_unreach6_draft_01 *dp6 = NULL; +- int i, j, n, trunc; ++ u_int i, dc; ++ const struct aodv_rerr *ap = (const struct aodv_rerr *)dat; ++ const struct rerr_unreach6_draft_01 *dp6; + +- i = length - offsetof(struct aodv_rerr, r); +- j = sizeof(ap->rerr.r.dest6_draft_01[0]); +- dp6 = &ap->rerr.r.dest6_draft_01[0]; +- n = ap->rerr.rerr_dc * j; ++ ND_TCHECK(*ap); ++ if (length < sizeof(*ap)) ++ goto trunc; + ND_PRINT((ndo, " rerr %s [items %u] [%u]:", +- ap->rerr.rerr_flags & RERR_NODELETE ? "[D]" : "", +- ap->rerr.rerr_dc, length)); +- trunc = n - (i/j); +- for (; i -= j >= 0; ++dp6) { ++ ap->rerr_flags & RERR_NODELETE ? "[D]" : "", ++ ap->rerr_dc, length)); ++ dp6 = (struct rerr_unreach6_draft_01 *)(void *)(ap + 1); ++ i = length - sizeof(*ap); ++ for (dc = ap->rerr_dc; dc != 0; dc--) { ++ ND_TCHECK(*dp6); ++ if (i < sizeof(*dp6)) ++ goto trunc; + ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da), + (unsigned long)EXTRACT_32BITS(&dp6->u_ds))); ++ dp6++; ++ i -= sizeof(*dp6); + } +- if (trunc) +- ND_PRINT((ndo, "[|rerr]")); ++ return; ++ ++trunc: ++ ND_PRINT((ndo, "[|rerr]")); + #else + ND_PRINT((ndo, " rerr %u", length)); + #endif +@@ -558,40 +522,37 @@ void + aodv_print(netdissect_options *ndo, + const u_char *dat, u_int length, int is_ip6) + { +- const union aodv *ap; +- +- ap = (union aodv *)dat; +- if (ndo->ndo_snapend < dat) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } +- if (min(length, (u_int)(ndo->ndo_snapend - dat)) < sizeof(ap->rrep_ack)) { +- ND_PRINT((ndo, " [|aodv]")); +- return; +- } ++ uint8_t msg_type; ++ ++ /* ++ * The message type is the first byte; make sure we have it ++ * and then fetch it. ++ */ ++ ND_TCHECK(*dat); ++ msg_type = *dat; + ND_PRINT((ndo, " aodv")); + +- switch (ap->rerr.rerr_type) { ++ switch (msg_type) { + + case AODV_RREQ: + if (is_ip6) +- aodv_v6_rreq(ndo, ap, dat, length); ++ aodv_v6_rreq(ndo, dat, length); + else +- aodv_rreq(ndo, ap, dat, length); ++ aodv_rreq(ndo, dat, length); + break; + + case AODV_RREP: + if (is_ip6) +- aodv_v6_rrep(ndo, ap, dat, length); ++ aodv_v6_rrep(ndo, dat, length); + else +- aodv_rrep(ndo, ap, dat, length); ++ aodv_rrep(ndo, dat, length); + break; + + case AODV_RERR: + if (is_ip6) +- aodv_v6_rerr(ndo, ap, length); ++ aodv_v6_rerr(ndo, dat, length); + else +- aodv_rerr(ndo, ap, dat, length); ++ aodv_rerr(ndo, dat, length); + break; + + case AODV_RREP_ACK: +@@ -599,15 +560,15 @@ aodv_print(netdissect_options *ndo, + break; + + case AODV_V6_DRAFT_01_RREQ: +- aodv_v6_draft_01_rreq(ndo, ap, dat, length); ++ aodv_v6_draft_01_rreq(ndo, dat, length); + break; + + case AODV_V6_DRAFT_01_RREP: +- aodv_v6_draft_01_rrep(ndo, ap, dat, length); ++ aodv_v6_draft_01_rrep(ndo, dat, length); + break; + + case AODV_V6_DRAFT_01_RERR: +- aodv_v6_draft_01_rerr(ndo, ap, length); ++ aodv_v6_draft_01_rerr(ndo, dat, length); + break; + + case AODV_V6_DRAFT_01_RREP_ACK: +@@ -615,6 +576,10 @@ aodv_print(netdissect_options *ndo, + break; + + default: +- ND_PRINT((ndo, " %u %u", ap->rreq.rreq_type, length)); ++ ND_PRINT((ndo, " type %u %u", msg_type, length)); + } ++ return; ++ ++trunc: ++ ND_PRINT((ndo, " [|aodv]")); + } diff --git a/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-9140.patch b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-9140.patch new file mode 100644 index 000000000000..b8fb4114c0d6 --- /dev/null +++ b/net-analyzer/tcpdump/files/tcpdump-4.6.2-CVE-2014-9140.patch @@ -0,0 +1,40 @@ +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1351,14 +1351,15 @@ static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { +- u_char *b, *s, *t, c; ++ u_char *b, *t, c; ++ const u_char *s; + int i, proto; + const void *se; + + if (length <= 0) + return; + +- b = (uint8_t *)malloc(length); ++ b = (u_char *)malloc(length); + if (b == NULL) + return; + +@@ -1367,14 +1368,13 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = (u_char *)p, t = b, i = length; i > 0; i--) { ++ for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { + c = *s++; + if (c == 0x7d) { +- if (i > 1) { +- i--; +- c = *s++ ^ 0x20; +- } else +- continue; ++ if (i <= 1 || !ND_TTEST(*s)) ++ break; ++ i--; ++ c = *s++ ^ 0x20; + } + *t++ = c; + } diff --git a/net-analyzer/tcpdump/tcpdump-4.6.2-r1.ebuild b/net-analyzer/tcpdump/tcpdump-4.6.2-r1.ebuild new file mode 100644 index 000000000000..c419b31369b8 --- /dev/null +++ b/net-analyzer/tcpdump/tcpdump-4.6.2-r1.ebuild @@ -0,0 +1,97 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/tcpdump/tcpdump-4.6.2-r1.ebuild,v 1.1 2015/01/07 16:23:14 jer Exp $ + +EAPI=5 +inherit eutils flag-o-matic toolchain-funcs user + +DESCRIPTION="A Tool for network monitoring and data acquisition" +HOMEPAGE="http://www.tcpdump.org/" +SRC_URI="http://www.tcpdump.org/release/${P}.tar.gz + http://www.jp.tcpdump.org/release/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux" +IUSE="+drop-root smi ssl ipv6 samba suid test" + +RDEPEND=" + drop-root? ( sys-libs/libcap-ng ) + net-libs/libpcap + smi? ( net-libs/libsmi ) + ssl? ( >=dev-libs/openssl-0.9.6m ) +" +DEPEND=" + ${RDEPEND} + drop-root? ( virtual/pkgconfig ) + test? ( + || ( app-arch/sharutils sys-freebsd/freebsd-ubin ) + dev-lang/perl + ) +" + +pkg_setup() { + if use drop-root || use suid; then + enewgroup tcpdump + enewuser tcpdump -1 -1 -1 tcpdump + fi +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2014-{8767,8768,8769,9140}.patch +} + +src_configure() { + # tcpdump needs some optimization. see bug #108391 + # but do not replace -Os + filter-flags -O[0-9] + has -O? ${CFLAGS} || append-cflags -O2 + + filter-flags -finline-functions + + if use drop-root; then + append-cppflags -DHAVE_CAP_NG_H + export LIBS=$( $(tc-getPKG_CONFIG) --libs libcap-ng ) + fi + + econf \ + $(use_enable ipv6) \ + $(use_enable samba smb) \ + $(use_with drop-root chroot '') \ + $(use_with smi) \ + $(use_with ssl crypto "${EPREFIX}/usr") \ + $(usex drop-root "--with-user=tcpdump" "") +} + +src_test() { + if [[ ${EUID} -ne 0 ]] || ! use drop-root; then + sed -i -e '/^\(espudp1\|eapon1\)/d;' tests/TESTLIST || die + emake check + else + ewarn "If you want to run the test suite, make sure you either" + ewarn "set FEATURES=userpriv or set USE=-drop-root" + fi +} + +src_install() { + dosbin tcpdump + doman tcpdump.1 + dodoc *.awk + dodoc CHANGES CREDITS README.md + + if use suid; then + fowners root:tcpdump /usr/sbin/tcpdump + fperms 4110 /usr/sbin/tcpdump + fi +} + +pkg_preinst() { + if use drop-root || use suid; then + enewgroup tcpdump + enewuser tcpdump -1 -1 -1 tcpdump + fi +} + +pkg_postinst() { + use suid && elog "To let normal users run tcpdump add them into tcpdump group." +} |