IPv6: Report another invalid case as invalid, not truncated

When the payload+header length is > (original) length, output example:
  [payload+header length 105 > length 104] (invalid)

We treat this as a warning and so don't stop decoding (as before).

Add a test file.

Update a test output accordingly.

diff --git a/print-ip6.c b/print-ip6.c
index 34a8d47d64e87b380aaa0561111ac25582cc5f20..ba086bc5dfe9b507f3d2979ff7f39f30f7fd9b0a 100644 (file)
--- a/print-ip6.c
+++ b/print-ip6.c
@@ -275,9 +275,12 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
         */
        if (payload_len != 0) {
                len = payload_len + sizeof(struct ip6_hdr);
-               if (length < len)
-                       ND_PRINT("truncated-ip6 - %u bytes missing!",
-                               len - length);
+               if (len > length) {
+                       ND_PRINT("[payload+header length %u > length %u]",
+                                len, length);
+                       nd_print_invalid(ndo);
+                       ND_PRINT(" ");
+               }
        } else
                len = length + sizeof(struct ip6_hdr);
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5d114bd0782431c5910fb568cfbd4c6678937ae4..a6698fcaed4d8a285c7cf72eacb29c0137355a03 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -360,6 +360,7 @@ ipv6-srh-tlv-hmac-v ipv6-srh-tlv-hmac.pcap ipv6-srh-tlv-hmac-v.out -v
 ipv6-srh-tlv-pad1-padn-5 ipv6-srh-tlv-pad1-padn-5.pcap ipv6-srh-tlv-pad1-padn-5.out
 ipv6-srh-tlv-pad1-padn-5-v ipv6-srh-tlv-pad1-padn-5.pcap ipv6-srh-tlv-pad1-padn-5-v.out -v
 ipv6_invalid_length ipv6_invalid_length.pcap ipv6_invalid_length.out
+ipv6_invalid_length_2 ipv6_invalid_length_2.pcap ipv6_invalid_length_2.out -v
 
 # Loopback/CTP test case
 loopback       loopback.pcap           loopback.out

diff --git a/tests/cve2015-0261-ipv6.out b/tests/cve2015-0261-ipv6.out
index e5ed54380e279bb6449d56df20f378eac30508fc..d2ca3c19694bce8b71ddf81584b6a14450678730 100644 (file)
--- a/tests/cve2015-0261-ipv6.out
+++ b/tests/cve2015-0261-ipv6.out
@@ -1,2 +1,2 @@
-    1  13:55:31.300000 IP6 truncated-ip6 - 26325 bytes missing!(class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:6767:6767:6767:6767:6767:6705: mobility: BU seq#=26471 HL lifetime=105884(type-0x67: len=103) [|mobility]
-    2  15:21:11.300000 IP6 truncated-ip6 - 26325 bytes missing!(class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:4f67:6767:6767:6767:6767:6767: (header length 8 is too small for type 6) [|mobility]
+    1  13:55:31.300000 IP6 [payload+header length 26510 > length 185] (invalid) (class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:6767:6767:6767:6767:6767:6705: mobility: BU seq#=26471 HL lifetime=105884(type-0x67: len=103) [|mobility]
+    2  15:21:11.300000 IP6 [payload+header length 26510 > length 185] (invalid) (class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:4f67:6767:6767:6767:6767:6767: (header length 8 is too small for type 6) [|mobility]

diff --git a/tests/ipv6_invalid_length_2.out b/tests/ipv6_invalid_length_2.out
new file mode 100644 (file)
index 0000000..a91d604
--- /dev/null
+++ b/tests/ipv6_invalid_length_2.out
@@ -0,0 +1 @@
+    1  08:59:14.753767 IP6 [payload+header length 105 > length 104] (invalid) (flowlabel 0x67576, hlim 64, next-header UDP (17) payload length: 65) 2605:bc80:3010:104::8cd3:9ce.45678 > 2600:3c00:e000:19::1.53: [udp sum ok] 34053+ [1au] A? www.tcpdump.org. (56)

diff --git a/tests/ipv6_invalid_length_2.pcap b/tests/ipv6_invalid_length_2.pcap
new file mode 100644 (file)
index 0000000..4e0463b
Binary files /dev/null and b/tests/ipv6_invalid_length_2.pcap differ