From e302ff0e4a6bde6915bee1c89373aa14c823dd60 Mon Sep 17 00:00:00 2001

From: Guy Harris <guy@alum.mit.edu>

Date: Tue, 11 Nov 2014 19:05:48 -0800

Subject: [PATCH 2/4] Further cleanups.

Use ND_TCHECK() rather than home-brew bounds checks.  Do simpler length

checks.

Let i be the length of the actual remaining packet data; use ND_TCHECK()

inside loops that iterate over the remaining data.

Let the printers for particular message types cast the raw data pointer

to a pointer of the appropriate type, rather than passing two pointers,

with different types, to the same data.

---

 print-aodv.c | 277 +++++++++++++++++++++++++++--------------------------------

 1 file changed, 126 insertions(+), 151 deletions(-)

diff --git a/print-aodv.c b/print-aodv.c

index da26473..2649936 100644

--- a/print-aodv.c

+++ b/print-aodv.c

@@ -184,22 +184,14 @@ static void

 aodv_extension(netdissect_options *ndo,

                const struct aodv_ext *ep, u_int length)

 {

-	u_int i;

 	const struct aodv_hello *ah;

 	switch (ep->type) {

 	case AODV_EXT_HELLO:

-		if (ndo->ndo_snapend < (u_char *) ep) {

-			ND_PRINT((ndo, " [|hello]"));

-			return;

-		}

-		i = min(length, (u_int)(ndo->ndo_snapend - (u_char *)ep));

-		if (i < sizeof(struct aodv_hello)) {

-			ND_PRINT((ndo, " [|hello]"));

-			return;

-		}

-		i -= sizeof(struct aodv_hello);

-		ah = (void *)ep;

+		ah = (const struct aodv_hello *)(const void *)ep;

+		ND_TCHECK(*ah);

+		if (length < sizeof(struct aodv_hello))

+			goto trunc;

 		ND_PRINT((ndo, "\n\text HELLO %ld ms",

 		    (unsigned long)EXTRACT_32BITS(&ah->interval)));

 		break;

@@ -208,24 +200,21 @@ aodv_extension(netdissect_options *ndo,

 		ND_PRINT((ndo, "\n\text %u %u", ep->type, ep->length));

 		break;

 	}

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|hello]"));

 }

 static void

-aodv_rreq(netdissect_options *ndo,

-          const struct aodv_rreq *ap, const u_char *dat, u_int length)

+aodv_rreq(netdissect_options *ndo, const u_char *dat, u_int length)

 {

 	u_int i;

+	const struct aodv_rreq *ap = (const struct aodv_rreq *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rreq]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rreq %u %s%s%s%s%shops %u id 0x%08lx\n"

 	    "\tdst %s seq %lu src %s seq %lu", length,

 	    ap->rreq_type & RREQ_JOIN ? "[J]" : "",

@@ -239,26 +228,24 @@ aodv_rreq(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_ds),

 	    ipaddr_string(ndo, &ap->rreq_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_os)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 }

 static void

-aodv_rrep(netdissect_options *ndo,

-          const struct aodv_rrep *ap, const u_char *dat, u_int length)

+aodv_rrep(netdissect_options *ndo, const u_char *dat, u_int length)

 {

 	u_int i;

+	const struct aodv_rrep *ap = (const struct aodv_rrep *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rrep]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n"

 	    "\tdst %s dseq %lu src %s %lu ms", length,

 	    ap->rrep_type & RREP_REPAIR ? "[R]" : "",

@@ -269,62 +256,58 @@ aodv_rrep(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_ds),

 	    ipaddr_string(ndo, &ap->rrep_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_life)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 }

 static void

-aodv_rerr(netdissect_options *ndo,

-          const struct aodv_rerr *ap, const u_char *dat, u_int length)

+aodv_rerr(netdissect_options *ndo, const u_char *dat, u_int length)

 {

 	u_int i, dc;

+	const struct aodv_rerr *ap = (const struct aodv_rerr *)dat;

 	const struct rerr_unreach *dp;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rerr]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rerr %s [items %u] [%u]:",

 	    ap->rerr_flags & RERR_NODELETE ? "[D]" : "",

 	    ap->rerr_dc, length));

-	dp = (struct rerr_unreach *)(void *)(ap + 1);

+	dp = (struct rerr_unreach *)(dat + sizeof(*ap));

+	i = length - sizeof(*ap);

 	for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp);

 	    ++dp, --dc, i -= sizeof(*dp)) {

+		ND_TCHECK(*dp);

 		ND_PRINT((ndo, " {%s}(%ld)", ipaddr_string(ndo, &dp->u_da),

 		    (unsigned long)EXTRACT_32BITS(&dp->u_ds)));

 	}

 	if ((i % sizeof(*dp)) != 0)

-		ND_PRINT((ndo, "[|rerr]"));

+		goto trunc;

+	return;

+

+trunc:

+	ND_PRINT((ndo, "[|rerr]"));

 }

 static void

 #ifdef INET6

-aodv_v6_rreq(netdissect_options *ndo,

-             const struct aodv_rreq6 *ap, const u_char *dat, u_int length)

+aodv_v6_rreq(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_rreq(netdissect_options *ndo,

-             const struct aodv_rreq6 *ap _U_, const u_char *dat _U_, u_int length)

+aodv_v6_rreq(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i;

+	const struct aodv_rreq6 *ap = (const struct aodv_rreq6 *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rreq6]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " v6 rreq %u %s%s%s%s%shops %u id 0x%08lx\n"

 	    "\tdst %s seq %lu src %s seq %lu", length,

 	    ap->rreq_type & RREQ_JOIN ? "[J]" : "",

@@ -338,8 +321,13 @@ aodv_v6_rreq(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_ds),

 	    ip6addr_string(ndo, &ap->rreq_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_os)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 #else

 	ND_PRINT((ndo, " v6 rreq %u", length));

 #endif

@@ -347,26 +335,18 @@ aodv_v6_rreq(netdissect_options *ndo,

 static void

 #ifdef INET6

-aodv_v6_rrep(netdissect_options *ndo,

-             const struct aodv_rrep6 *ap, const u_char *dat, u_int length)

+aodv_v6_rrep(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_rrep(netdissect_options *ndo,

-             const struct aodv_rrep6 *ap _U_, const u_char *dat _U_, u_int length)

+aodv_v6_rrep(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i;

+	const struct aodv_rrep6 *ap = (const struct aodv_rrep6 *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rrep6]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n"

 	   "\tdst %s dseq %lu src %s %lu ms", length,

 	    ap->rrep_type & RREP_REPAIR ? "[R]" : "",

@@ -377,8 +357,13 @@ aodv_v6_rrep(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_ds),

 	    ip6addr_string(ndo, &ap->rrep_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_life)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 #else

 	ND_PRINT((ndo, " rrep %u", length));

 #endif

@@ -386,38 +371,36 @@ aodv_v6_rrep(netdissect_options *ndo,

 static void

 #ifdef INET6

-aodv_v6_rerr(netdissect_options *ndo,

-             const struct aodv_rerr *ap, const u_char *dat, u_int length)

+aodv_v6_rerr(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_rerr(netdissect_options *ndo,

-             const struct aodv_rerr *ap _U_, const u_char *dat, u_int length)

+aodv_v6_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i, dc;

+	const struct aodv_rerr *ap = (const struct aodv_rerr *)dat;

 	const struct rerr_unreach6 *dp6;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-        if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rerr]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rerr %s [items %u] [%u]:",

 	    ap->rerr_flags & RERR_NODELETE ? "[D]" : "",

 	    ap->rerr_dc, length));

 	dp6 = (struct rerr_unreach6 *)(void *)(ap + 1);

+	i = length - sizeof(*ap);

 	for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);

 	    ++dp6, --dc, i -= sizeof(*dp6)) {

+		ND_TCHECK(*dp6);

 		ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),

 		    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));

 	}

 	if ((i % sizeof(*dp6)) != 0)

-		ND_PRINT((ndo, "[|rerr]"));

+		goto trunc;

+	return;

+

+trunc:

+	ND_PRINT((ndo, "[|rerr]"));

 #else

 	ND_PRINT((ndo, " rerr %u", length));

 #endif

@@ -425,26 +408,18 @@ aodv_v6_rerr(netdissect_options *ndo,

 static void

 #ifdef INET6

-aodv_v6_draft_01_rreq(netdissect_options *ndo,

-                      const struct aodv_rreq6_draft_01 *ap, const u_char *dat, u_int length)

+aodv_v6_draft_01_rreq(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_draft_01_rreq(netdissect_options *ndo,

-                      const struct aodv_rreq6_draft_01 *ap _U_, const u_char *dat _U_, u_int length)

+aodv_v6_draft_01_rreq(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i;

+	const struct aodv_rreq6_draft_01 *ap = (const struct aodv_rreq6_draft_01 *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rreq6]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rreq %u %s%s%s%s%shops %u id 0x%08lx\n"

 	    "\tdst %s seq %lu src %s seq %lu", length,

 	    ap->rreq_type & RREQ_JOIN ? "[J]" : "",

@@ -458,8 +433,13 @@ aodv_v6_draft_01_rreq(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_ds),

 	    ip6addr_string(ndo, &ap->rreq_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rreq_os)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 #else

 	ND_PRINT((ndo, " rreq %u", length));

 #endif

@@ -467,26 +447,18 @@ aodv_v6_draft_01_rreq(netdissect_options *ndo,

 static void

 #ifdef INET6

-aodv_v6_draft_01_rrep(netdissect_options *ndo,

-                      const struct aodv_rrep6_draft_01 *ap, const u_char *dat, u_int length)

+aodv_v6_draft_01_rrep(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_draft_01_rrep(netdissect_options *ndo,

-                      const struct aodv_rrep6_draft_01 *ap _U_, const u_char *dat _U_, u_int length)

+aodv_v6_draft_01_rrep(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i;

+	const struct aodv_rrep6_draft_01 *ap = (const struct aodv_rrep6_draft_01 *)dat;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rrep6]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rrep %u %s%sprefix %u hops %u\n"

 	   "\tdst %s dseq %lu src %s %lu ms", length,

 	    ap->rrep_type & RREP_REPAIR ? "[R]" : "",

@@ -497,8 +469,13 @@ aodv_v6_draft_01_rrep(netdissect_options *ndo,

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_ds),

 	    ip6addr_string(ndo, &ap->rrep_oa),

 	    (unsigned long)EXTRACT_32BITS(&ap->rrep_life)));

+	i = length - sizeof(*ap);

 	if (i >= sizeof(struct aodv_ext))

-		aodv_extension(ndo, (void *)(ap + 1), i);

+		aodv_extension(ndo, (const struct aodv_ext *)(dat + sizeof(*ap)), i);

+	return;

+

+trunc:

+	ND_PRINT((ndo, " [|rreq"));

 #else

 	ND_PRINT((ndo, " rrep %u", length));

 #endif

@@ -506,38 +483,36 @@ aodv_v6_draft_01_rrep(netdissect_options *ndo,

 static void

 #ifdef INET6

-aodv_v6_draft_01_rerr(netdissect_options *ndo,

-                      const struct aodv_rerr *ap, const u_char *dat, u_int length)

+aodv_v6_draft_01_rerr(netdissect_options *ndo, const u_char *dat, u_int length)

 #else

-aodv_v6_draft_01_rerr(netdissect_options *ndo,

-                      const struct aodv_rerr *ap _U_, const u_char *dat, u_int length)

+aodv_v6_draft_01_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int length)

 #endif

 {

 #ifdef INET6

 	u_int i, dc;

+	const struct aodv_rerr *ap = (const struct aodv_rerr *)dat;

 	const struct rerr_unreach6_draft_01 *dp6;

-	if (ndo->ndo_snapend < dat) {

-		ND_PRINT((ndo, " [|aodv]"));

-		return;

-	}

-	i = min(length, (u_int)(ndo->ndo_snapend - dat));

-	if (i < sizeof(*ap)) {

-		ND_PRINT((ndo, " [|rerr]"));

-		return;

-	}

-	i -= sizeof(*ap);

+	ND_TCHECK(*ap);

+	if (length < sizeof(*ap))

+		goto trunc;

 	ND_PRINT((ndo, " rerr %s [items %u] [%u]:",

 	    ap->rerr_flags & RERR_NODELETE ? "[D]" : "",

 	    ap->rerr_dc, length));

 	dp6 = (struct rerr_unreach6_draft_01 *)(void *)(ap + 1);

+	i = length - sizeof(*ap);

 	for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);

 	    ++dp6, --dc, i -= sizeof(*dp6)) {

+		ND_TCHECK(*dp6);

 		ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),

 		    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));

 	}

 	if ((i % sizeof(*dp6)) != 0)

-		ND_PRINT((ndo, "[|rerr]"));

+		goto trunc;

+	return;

+

+trunc:

+	ND_PRINT((ndo, "[|rerr]"));

 #else

 	ND_PRINT((ndo, " rerr %u", length));

 #endif

@@ -561,23 +536,23 @@ aodv_print(netdissect_options *ndo,

 	case AODV_RREQ:

 		if (is_ip6)

-			aodv_v6_rreq(ndo, (const struct aodv_rreq6 *)dat, dat, length);

+			aodv_v6_rreq(ndo, dat, length);

 		else

-			aodv_rreq(ndo, (const struct aodv_rreq *)dat, dat, length);

+			aodv_rreq(ndo, dat, length);

 		break;

 	case AODV_RREP:

 		if (is_ip6)

-			aodv_v6_rrep(ndo, (const struct aodv_rrep6 *)dat, dat, length);

+			aodv_v6_rrep(ndo, dat, length);

 		else

-			aodv_rrep(ndo, (const struct aodv_rrep *)dat, dat, length);

+			aodv_rrep(ndo, dat, length);

 		break;

 	case AODV_RERR:

 		if (is_ip6)

-			aodv_v6_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);

+			aodv_v6_rerr(ndo, dat, length);

 		else

-			aodv_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);

+			aodv_rerr(ndo, dat, length);

 		break;

 	case AODV_RREP_ACK:

@@ -585,15 +560,15 @@ aodv_print(netdissect_options *ndo,

 		break;

 	case AODV_V6_DRAFT_01_RREQ:

-		aodv_v6_draft_01_rreq(ndo, (const struct aodv_rreq6_draft_01 *)dat, dat, length);

+		aodv_v6_draft_01_rreq(ndo, dat, length);

 		break;

 	case AODV_V6_DRAFT_01_RREP:

-		aodv_v6_draft_01_rrep(ndo, (const struct aodv_rrep6_draft_01 *)dat, dat, length);

+		aodv_v6_draft_01_rrep(ndo, dat, length);

 		break;

 	case AODV_V6_DRAFT_01_RERR:

-		aodv_v6_draft_01_rerr(ndo, (const struct aodv_rerr *)dat, dat, length);

+		aodv_v6_draft_01_rerr(ndo, dat, length);

 		break;

 	case AODV_V6_DRAFT_01_RREP_ACK:

-- 

1.8.3.1