QUIC: Fix a pointer overflow with 32-bit executable

fxlb · fxlb · commit 91977d2d584d · 2023-08-12T20:54:58.000+02:00
When decoding an IPv6 Jumbo frame, the lenght of the payload may be huge
(e.g. 201311154). This gives a huge length to udp_print() and then
to quic_print() (e.g. 201311130). With 32-bit executable, addding the
length to the pointer can overflow, like:

print-quic.c:277:26: runtime error: pointer index expression with base
0xf42032c0 overflowed to 0x001ff65a

Use ND_BYTES_AVAILABLE_AFTER() to assign the 'end' pointer.

quic_print(): Remove the parameter 'len' no longer used.

Add a test file.

Update the output of a test accordingly (packet 10 not truncated).
diff --git a/netdissect.h b/netdissect.h
@@ -724,7 +724,7 @@ extern void ptp_print(netdissect_options *, const u_char *, u_int);
 extern const char *q922_string(netdissect_options *, const u_char *, u_int);
 extern void q933_print(netdissect_options *, const u_char *, u_int);
 extern int quic_detect(netdissect_options *, const u_char *, const u_int);
-extern void quic_print(netdissect_options *, const u_char *, const u_int);
+extern void quic_print(netdissect_options *, const u_char *);
 extern void radius_print(netdissect_options *, const u_char *, u_int);
 extern void resp_print(netdissect_options *, const u_char *, u_int);
 extern void rip_print(netdissect_options *, const u_char *, u_int);
diff --git a/print-quic.c b/print-quic.c
@@ -272,9 +272,9 @@ quic_print_packet(netdissect_options *ndo, const u_char *bp, const u_char *end)
 }
 
 void
-quic_print(netdissect_options *ndo, const u_char *bp, const u_int len)
+quic_print(netdissect_options *ndo, const u_char *bp)
 {
-	const uint8_t *end = bp + len;
+	const uint8_t *end = bp + ND_BYTES_AVAILABLE_AFTER(bp);
 
 	ndo->ndo_protocol = "quic";
 	nd_print_protocol(ndo);
diff --git a/print-udp.c b/print-udp.c
@@ -464,7 +464,7 @@ udp_print(netdissect_options *ndo, const u_char *bp, u_int length,
 			domain_print(ndo, cp, length, FALSE, FALSE);
 			break;
 		case PT_QUIC:
-			quic_print(ndo, cp, length);
+			quic_print(ndo, cp);
 			break;
 		}
 		return;
@@ -674,7 +674,7 @@ udp_print(netdissect_options *ndo, const u_char *bp, u_int length,
 			someip_print(ndo, cp, length);
 		else if (IS_SRC_OR_DST_PORT(HTTPS_PORT) &&
 			 quic_detect(ndo, cp, length))
-			quic_print(ndo, cp, length);
+			quic_print(ndo, cp);
 		else if (sport == BCM_LI_PORT)
 			bcm_li_print(ndo, cp, length);
 		else {
diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -907,6 +907,7 @@ quic_handshake			quic_handshake.pcap		quic_handshake.out	-v
 quic_handshake_truncated	quic_handshake_truncated.pcap	quic_handshake_truncated.out	-v
 quic_retry			quic_retry.pcap			quic_retry.out	-v
 gquic				gquic.pcap			gquic.out	-v
+quic_32_bit_pointer_overflow quic_32_bit_pointer_overflow.pcap quic_32_bit_pointer_overflow.out
 
 # GRE keepalives, CDP over GRE
 various_gre			various_gre.pcap		various_gre.out	-v
diff --git a/tests/quic_32_bit_pointer_overflow.out b/tests/quic_32_bit_pointer_overflow.out
@@ -0,0 +1 @@
+    1  14:32:46.453540455 IP6 ::8:46:ee:102:202:202 > 202:200:0:fe7e:b65f:677a:82b:601: HBH truncated-ip6 - 201252743 bytes missing!0 > 443: quic, initial, vb2a10200, dcid 00000100, length 1 [|quic]
diff --git a/tests/quic_32_bit_pointer_overflow.pcap b/tests/quic_32_bit_pointer_overflow.pcap
diff --git a/tests/quic_handshake_truncated.out b/tests/quic_handshake_truncated.out
@@ -7,7 +7,7 @@
     7  19:57:02.485464 IP6 (class 0x02, flowlabel 0x70e00, hlim 64, next-header UDP (17) payload length: 81) ::1.65165 > ::1.443: [bad udp cksum 0x0064 -> 0x9855!] quic, handshake, dcid beb256567ee5698c, length 56
     8  19:57:02.485711 IP6 (class 0x02, flowlabel 0x50700, hlim 64, next-header UDP (17) payload length: 50) ::1.443 > ::1.65165: [bad udp cksum 0x0045 -> 0xca20!] quic, handshake, scid beb256567ee5698c, length 25
     9  19:57:02.485809 IP6 (class 0x02, flowlabel 0x50700, hlim 64, next-header UDP (17) payload length: 29) ::1.443 > ::1.65165: [bad udp cksum 0x0030 -> 0x4f93!] quic, protected
-   10  19:57:02.486075 IP6 (class 0x02, flowlabel 0x50700, hlim 64, next-header UDP (17) payload length: 250) ::1.443 > ::1.65165: quic, protected [|quic]
+   10  19:57:02.486075 IP6 (class 0x02, flowlabel 0x50700, hlim 64, next-header UDP (17) payload length: 250) ::1.443 > ::1.65165: quic, protected
    11  19:57:02.486726 IP6 (class 0x02, flowlabel 0x70e00, hlim 64, next-header UDP (17) payload length: 39) ::1.65165 > ::1.443: [bad udp cksum 0x003a -> 0x38d3!] quic, protected, dcid beb256567ee5698c
    12  19:57:02.487067 IP6 (class 0x02, flowlabel 0x70e00, hlim 64, next-header UDP (17) payload length: 37) ::1.65165 > ::1.443: [bad udp cksum 0x0038 -> 0x3993!] quic, protected, dcid beb256567ee5698c
    13  19:57:02.487144 IP6 (class 0x02, flowlabel 0x70e00, hlim 64, next-header UDP (17) payload length: 37) ::1.65165 > ::1.443: [bad udp cksum 0x0038 -> 0x7ae0!] quic, protected, dcid beb256567ee5698c

Original file line number	Diff line number	Diff line change
`@@ -272,9 +272,9 @@ quic_print_packet(netdissect_options ndo, const u_char bp, const u_char *end)`
`272`	`272`	`}`
`273`	`273`
`274`	`274`	`void`
`275`		`-quic_print(netdissect_options ndo, const u_char bp, const u_int len)`
	`275`	`+quic_print(netdissect_options ndo, const u_char bp)`
`276`	`276`	`{`
`277`		`- const uint8_t *end = bp + len;`
	`277`	`+ const uint8_t *end = bp + ND_BYTES_AVAILABLE_AFTER(bp);`
`278`	`278`
`279`	`279`	`ndo->ndo_protocol = "quic";`
`280`	`280`	`nd_print_protocol(ndo);`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ 1 14:32:46.453540455 IP6 ::8:46:ee:102:202:202 > 202:200:0:fe7e:b65f:677a:82b:601: HBH truncated-ip6 - 201252743 bytes missing!0 > 443: quic, initial, vb2a10200, dcid 00000100, length 1 [\|quic]`