search

the-tcpdump-group / tcpdump

the TCPdump network dissector
https://www.tcpdump.org/
Other
2.71k stars 845 forks source link

Print past end of IP hdr with malformed IP opt list #81

Closed guyharris closed 11 years ago

guyharris commented 11 years ago

Converted from SourceForge issue 1425743, submitted by jim_hoagland

Running the following command I happened to notice a bug when playing some weird traffic: tcpdump -s 0 -n -X -v Specifically, in this traffic, there is an IP option whose length indicator puts the end of the option past the end of the IP header.

The problem is that tcpdump has insufficient checks for this case and, at least for the LSRR and SSRR options running with -v, will access data past the end of the IP header when printing out the option details.

Here's an example (corresponds to a dump I will attach): 15:45:52.654455 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP LSRR{0.62.20.34#75.0.0.176}[|ip]) 0x0000 4800 0050 0000 4000 4001 0300 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 0101 0101 0101 830b .LL............. 0x0020 0800 3e14 224b 0000 b0df e743 84fb 0900 ..>."K.....C.... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

Notice that 0x83 corresponds to "LSRR" and 0x0b indicates a 12-byte option. However 0x48 indicates that the header ends after 0x0b.
tcpdump keeps on going though, reading 0x08 as the pointer and the 8 following bytes as IP addresses.

That is with:

tcpdump -V

tcpdump version 3.8 libpcap version 0.8.3

I have mostly tested this on 3.7.2, but there doesn't seem to be a difference with 3.8. It wasn't practical for me to test this with 3.9.x.

Here are some more examples (minor variations on a theme) from 3.7.2:

15:31:10.792367 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP SSRR{ [bad length 8] [bad ptr 0]45.254.242.73 0.0.62.220} EOL--8) 0x0000 4800 0050 0000 4000 4001 8482 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 0101 0101 0101 0189 .LL............. 0x0020 0800 2dfe f249 0000 3edc e743 3416 0c00 ..-..I..>..C4... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:32:39.112798 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP SSRR{0.80.92.11#74.0.0.151}[|ip]) 0x0000 4800 0050 0000 4000 4001 fcff 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 0101 0101 0101 890b .LL............. 0x0020 0800 505c 0b4a 0000 97dc e743 aab7 0100 ..P .J.....C.... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:38:28.039109 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP NOP NOP SSRR{8.0.217.122#78.74.0.0}[|ip]) 0x0000 4800 0050 0000 4000 4001 7a7b 0a4c 4c03 H..P..@.@.z {.LL. 0x0010 0a4c 4c02 0101 0101 0101 0101 0189 0b08 .LL............. 0x0020 0800 d97a 4e4a 0000 f4dd e743 8297 0000 ...zNJ.....C.... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:39:21.372254 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP NOP SSRR{10.8.0.243#100.103.74.0} EOL--8) 0x0000 4800 0050 0000 4000 4001 f5f6 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 0101 0101 890b 080a .LL............. 0x0020 0800 f364 674a 0000 29de e743 15ad 0500 ...dgJ..)..C.... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:39:58.348355 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP NOP SSRR {10.0.8.0#30.194.128.74} EOL--7) 0x0000 4800 0050 0000 4000 4001 717c 0a4c 4c03
H..P..@.@.q|.LL. 0x0010 0a4c 4c02 0101 0101 0101 0189 0b08 0a00 .LL............. 0x0020 0800 1ec2 804a 0000 4ede e743 ac4f 0500 .....J..N..C.O.. 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:40:58.869089 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP NOP SSRR {10.0.0.8#0.190.207.158}[|ip op len 0]) 0x0000 4800 0050 0000 4000 4001 f6f7 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 0101 890b 080a 0000 .LL............. 0x0020 0800 becf 9e4a 0000 8ade e743 aa41 0d00 .....J.....C.A.. 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:44:22.063557 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP NOP SSRR {10.0.0.1#8.0.34.25}[|ip]) 0x0000 4800 0050 0000 4000 4001 727c 0a4c 4c03
H..P..@.@.r|.LL. 0x0010 0a4c 4c02 0101 0101 0189 0b08 0a00 0001 .LL............. 0x0020 0800 2219 044b 0000 56df e743 21f7 0000 .."..K..V..C!... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:43:37.333628 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP NOP SSRR {10.0.0.1#10.8.0.102}[|ip]) 0x0000 4800 0050 0000 4000 4001 f6ee 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 0101 890b 080a 0000 010a .LL............. 0x0020 0800 66fa eb4a 0000 29df e743 1e16 0500 ..f..J..)..C.... 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:43:12.477550 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP NOP SSRR{10.0.0.1#10.0.8.0} [|ip]) 0x0000 4800 0050 0000 4000 4001 697d 0a4c 4c03
H..P..@.@.i}.LL. 0x0010 0a4c 4c02 0101 0189 0b08 0a00 0001 0a00 .LL............. 0x0020 0800 3fc8 d24a 0000 10df e743 7548 0700 ..?..J.....CuH.. 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

15:42:08.796923 10.76.76.3 > 10.76.76.2: icmp: echo request (DF) (ttl 64, id 0, len 80, optlen=12 NOP NOP SSRR{10.0.0.1#10.0.0.8} EOL--2) 0x0000 4800 0050 0000 4000 4001 f7ef 0a4c 4c03
H..P..@.@....LL. 0x0010 0a4c 4c02 0101 890b 080a 0000 010a 0000 .LL............. 0x0020 0800 f6e8 b94a 0000 d0de e743 1228 0c00 .....J.....C.(.. 0x0030 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................ 0x0040 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 .........!"#$% &'

uname -a

Linux xxxx.xxx.xxx 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT

more /etc/redhat-release

Red Hat Enterprise Linux ES release 3 (Taroon Update 4)

which tcpdump

/usr/sbin/tcpdump

rpm -qif /usr/sbin/tcpdump

Name : tcpdump Relocations: /usr Version : 3.7.2 Vendor: Red Hat, Inc. Release : 7.E3.2 Build Date: Wed 12 May 2004 04:15:48 AM PDT Install Date: Thu 26 May 2005 11:56:31 AM PDT Build Host: tweety.build.redhat.com Group : Applications/Internet Source RPM: tcpdump-3.7.2-7.E3.2.src.rpm Size : 612862 License: BSD Signature : DSA/SHA1, Thu 20 May 2004 10:31:57 AM PDT, Key ID 219180cddb42a60e Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla URL : http://www.tcpdump.org

Thank you.

guyharris commented 11 years ago

Submitted by guy_harris

Logged In: YES user_id=541179

I've checked a fix into the main and x.9 branches.