slow: Add OSSP support #1363
slow: Add OSSP support #1363
Conversation
| ND_PRINT("\n\tOUI: %s (0x%06x)", | ||
| tok2str(oui_values, "Unknown", oui), | ||
| oui); | ||
| tlen -= 3; |
There was a problem hiding this comment.
As far as I can see, this line can cause an out-of-bounds read: neither slow_ossp_print() nor its caller ensure that here tlen >= 3. Please add a length check.
There was a problem hiding this comment.
In this context the GET_ macros guard the boundaries of the actually present (captured) data, and tlen is the declared data length. Please note:
- the
ND_ICHECK_U(len, <, 8);just before the data fetch in the first example, - the
if (subtlv_len >= 6)around the data fetch in the second example, and - the
if (len < length * NSH_HDR_WORD_SIZE)before the data fetch in the third example.
There was a problem hiding this comment.
I don't really understand how tlen could ever be less than the captured data (the other way around sure), and thus tlen < 3 not always first trigger the GET_BE_U_3 longjump. But I will assume you know better and submit to your judgement.
There was a problem hiding this comment.
I guess the reason is to have the correct message in the output, truncated packet (due to snaplen) vs invalid packet (simply too short).
There was a problem hiding this comment.
Correctness of reporting is one reason, and consistency of code style is another.
Yet another reason is safety: any "length" recorded in the captured data generally cannot be trusted. In this case tlen is not obviously off: the EtherType/length field of the Ethernet frame stands for EtherType so in ethertype_print() it seems likely that length >= caplen, especially when the frame is read from a file and the length values have been sanitized.
However, if you consider how many protocols encapsulate Ethernet frames now and how many more will do that in future, it is almost certain that an encoding exists that has its own idea of an encapsulated Ethernet frame length and will present, let's say, 1KB of "captured" data and a value of length that will cause tlen here to be, let's say, 1. Then after the subtraction tlen would underflow to a very large value and print_unknown_data() will be printing a memory dump until it trips a boundary of the process' virtual memory and causes a segmentation fault. This is why the other three cases in this file and most if not all other decoders check both lengths.
Add basic printing of "Organization Specific Slow Protocol" (OSSP), which is standardized in IEEE 802.3 Annex 57B. Since this is used for non-standardized protocols and thus carries mostly unknown-structured data, most of the packet is still printed verbatim.
corubba
force-pushed
the
feature/slow-ossp
branch
from
3d4edc8 to
0b37c57
Compare
|
Alright, this revision looks safe to me, maybe somebody else would like to have a look. Let me note that |
2 participants
Add basic printing of "Organization Specific Slow Protocol" (OSSP), which is standardized in IEEE 802.3 Annex 57B. Since this is used for non-standardized protocols and thus carries mostly unknown-structured data, most of the packet is still printed verbatim.
Also add the OUI of ITU-T that is used as part of its "Ethernet synchronization messaging channel" (ESMC) protocol, which is based on OSSP.