Guy Harris [Mon, 7 Apr 2025 21:00:24 +0000 (14:00 -0700)]
Suppress bogus C4738 from MSVC.
Our trick to extract a big-endian IEEE floating-point number from a
packet confuses MSVC into thinking we're doing something we're not
doing, or maybe just that we might do so somewhere that it can't see.
Suppress the resulting warning.
Francois-Xavier Le Bail [Sun, 31 Mar 2024 09:38:44 +0000 (11:38 +0200)]
NTP: Fix p_ntp_time_fmt() using epoch 1/epoch 2 convention (RFC 4330)
Moreover:
Update the error message, replace
"[Time is too large to fit into a time_t]"
by
"[timestamp overflow]".
Same as in ts_date_hmsfrac_print() and ts_unix_print().
Fix indentation.
Update 5 test outputs and processings, based on skip_time_t_not (64).
Francois-Xavier Le Bail [Sat, 22 Mar 2025 09:53:34 +0000 (10:53 +0100)]
DHCP: Fix printing IP address pairs options
'p' is used by the options Policy Filter (21) and Static Route (33).
They have a minimum length of 8 and the length MUST be a multiple of 8.
Check that.
Add a test file for option 33 (lengths: 8, 16, 24, 3, 0), build with
scapy.
Arseny Maslennikov [Fri, 8 Dec 2023 11:44:55 +0000 (14:44 +0300)]
ICMPv6: Recognise ND option 38 (PREF64)
This option, defined in RFC 8781, allows a router administrator to pass
NAT64 prefix information for the network to end hosts together with
other routing and prefix information in the RA message, getting rid
of the need for DNS64 service in the network.
As of today the option is widely supported by software routers,
including radvd, BIRD and systemd-networkd.
We implement the printer and test some valid and broken option contents.
Francois-Xavier Le Bail [Fri, 14 Mar 2025 22:36:01 +0000 (23:36 +0100)]
Autoconf: Use AC_SYS_YEAR2038_RECOMMENDED when possible
On Linux, if the environment variable BUILD_YEAR2038=yes, Autoconf
version >= 2.72 and GNU C Library version >= 2.34, uncomment
AC_SYS_YEAR2038_RECOMMENDED to ensure time_t is Y2038-safe.
Tested with: BUILD_YEAR2038=yes MATRIX_CMAKE=no ./build_matrix.sh
on linux-armv7l because currently CMake build don't have year 2038 support.
Arseny Maslennikov [Mon, 4 Dec 2023 11:44:55 +0000 (14:44 +0300)]
ICMPv6: Recognise ND option 14 (Nonce)
This option has been observed to be included in neighbour solicitations
sent by Linux kernel when `conf/*/enhanced_dad` is enabled on the
relevant network interface. It looks like it appeared in the linked
kernel commit.
In accordance with RFC 7527, a nonce can help distinguish valid DAD NS
messages in the presence of Ethernet loopbacks: after a DAD probe is
sent on the network, if an NS is received with the same nonce it is
considered looped back and ignored.
We implement the printer for this option and add a simple test with 3
different verbosity levels.
Also, introduce a helper function to util-print.c which prints
arbitrary data from the dissected packet as space-separated hexadecimal
octets, e. g. "77 c1 ad e9 17 70". Use it in the new printer.
Denis Ovsienko [Sat, 22 Feb 2025 02:29:41 +0000 (02:29 +0000)]
Fix "ip broadcast" netmask byte order with the -f flag.
Let's suppose the interface eth0 has one IPv4 address with a /24
netmask. Without -f tcpdump leaves the netmask variable set to 0, which
regardless of the host endianness causes "ip broadcast" to match
destination hosts 0.0.0.0 and 255.255.255.255:
# tcpdump -i eth0 -d 'ip broadcast'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 6
(002) ld [30]
(003) jeq #0x0 jt 5 jf 4
(004) jeq #0xffffffff jt 5 jf 6
(005) ret #262144
(006) ret #0
With -f tcpdump calls pcap_lookupnet(), which correctly sets the netmask
to 0xFFFFFF00 (in network byte order). Then pcap_compile() receives the
same value, but it expects it to be in host byte order, so on a
little-endian host the resulting filter program incorrectly tests for a
0x00FFFFFF netmask:
# tcpdump -i eth0 -f -d 'ip broadcast'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ld [30]
(003) jset #0xff000000 jt 4 jf 6
(004) and #0xff000000
(005) jeq #0xff000000 jt 6 jf 7
(006) ret #262144
(007) ret #0
Add two missing ntohl() wrappers to make it right:
# tcpdump -i eno1 -f -d 'ip broadcast'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 7
(002) ld [30]
(003) jset #0xff jt 4 jf 6
(004) and #0xff
(005) jeq #0xff jt 6 jf 7
(006) ret #262144
(007) ret #0
Audit the init_print() code path and do not change anything because
there the byte order is already correct. Add comments to spell the byte
order in every case and update the -f flag description in the man page.
See also libpcap commit 1e54958.
Denis Ovsienko [Fri, 21 Feb 2025 16:42:51 +0000 (16:42 +0000)]
TESTrun: Copy some recent improvements from libpcap.
Add a help message and the same command-line options as in libpcap
(--passed, --one, --list, --config). Add a licence boilerplate. Move
some code around to make it cleaner. To check for Windows, test for
"msys" only. Use diff on all platforms. Drop TESTRUN_PERL.
Denis Ovsienko [Thu, 13 Feb 2025 01:23:24 +0000 (01:23 +0000)]
Refine bpf_dump(). [skip appveyor]
Constify the temporary pointer, as was done in libpcap in 2008. Remove
the BDEBUG conditional block becase in libpcap that is a part of the
optimizer debug feature, but in tcpdump it is dead code.
Francois-Xavier Le Bail [Sat, 8 Feb 2025 10:36:07 +0000 (11:36 +0100)]
DNS: Use ND_TCHECK_LEN() instead of a custom bounds check
This avoids an invalid-pointer-pair AddressSanitizer error.
Add a test file.
The error was:
reading from file ppp_ip_udp_dns.pcap, link-type PPP_SERIAL(PPP over
serial), snapshot length 2098998
=================================================================
==258093==ERROR: AddressSanitizer: invalid-pointer-pair: 0x61300000c086
0x61300000019e
#0 0x78274f in ns_rprint [...]/print-domain.c:728:9
Address 0x61300000c086 is a wild pointer inside of access range of size
0x000000000001.
0x61300000019e is located 0 bytes after 350-byte region
[0x613000000040,0x61300000019e)
allocated by thread T0 here:
#0 0x4b997e in malloc ([...]/tcpdump+0x4b997e)
#1 0x60220b in ppp_hdlc [...]/print-ppp.c:1367:16
SUMMARY: AddressSanitizer: invalid-pointer-pair
[...]/print-domain.c:728:9 in ns_rprint
Denis Ovsienko [Fri, 7 Feb 2025 11:52:39 +0000 (11:52 +0000)]
Reimplement the tests similarly to libpcap. [skip appveyor]
Import TESTlib.pm, TESTst.pm and TESTmt.pm from libpcap. In TESTrun use
strict and warnings, also address all Perl issues that manifest because
of that, remove old code that the imported files make redundant and
clean the rest up. Ibid., remove the core dump file before every test
and apply the "only this one test" mode even if the test does not come
from the TESTLIST file; focus on tcpdump specifics and have the imported
files handle all test/result logistics.
The latter among other things places all temporary test files in a
proper temporary directory rather than the source tree, which in turn
eliminates the tests/NEW and tests/DIFF temporary directories, which
also includes *.out.raw.stderr files; the .passed and .failed files have
been gone since commit b82970c in 2020. This way, the tests/.gitignore
file no longer has a purpose, so remove it and the associated exemption
for TEST_DIST in Makefile. Remove failure-outputs.txt from the
top-level .gitignore as well. Prune "make distclean" as well.
Merge tests/*.tests into TESTrun: these are a part of the source tree
rather than volatile external data, so instead of implementing the
required run-time logistics just place the Perl data structures in the
only Perl script that uses them. Convert "config_set" and
"config_unset" using "skip" and equivalent Perl expressions.
Since these changes rewrite most of TESTrun, reindent and reformat it to
match the code style of the new files.
Denis Ovsienko [Mon, 20 Jan 2025 14:01:45 +0000 (14:01 +0000)]
PTP: Refine timestamp printing.
In ptp_print_timestamp_identity() and ptp_print_announce_msg() use
ptp_print_timestamp() to deduplicate code. In ptp_print_timestamp()
change the format to SECONDS.NANOSECONDS and indicate an invalid
nanoseconds value. Update the tests. This resolves GH issue #1260.
Denis Ovsienko [Mon, 20 Jan 2025 13:59:44 +0000 (13:59 +0000)]
Report invalid microseconds as "us", not "ms".
In timeval-operations.h for microseconds and nanoseconds define both the
maximum number of units per second and the string to use for reporting
an invalid value. Use the new macros in ts_frac_print() and update a
test.
For consistency in print-arista.c instead of MAX_VALID_NS and
BOGUS_NS_STR use the macros from timeval-operations.h.
Francois-Xavier Le Bail [Fri, 17 Jan 2025 11:11:13 +0000 (12:11 +0100)]
Update the GitHub issue template for the new workflow
Summary:
Create the .github/ISSUE_TEMPLATE directory
Rename the file ISSUE_TEMPLATE to .github/ISSUE_TEMPLATE/issue_template.md
Update this file with some keywords (name, about, ...)
Add a .github/ISSUE_TEMPLATE/config.yml file containing
"blank_issues_enabled: false".
Bill Fenner [Tue, 11 Oct 2022 20:10:46 +0000 (13:10 -0700)]
ISO: avoid undefined behavior and integer overflow in the fletcher checksum calculation
The fletcher checksum calculation would sometimes left-shift
a negative number, which is an undefined operation. Rework the
code to avoid this.
checksum.c:186:20: runtime error: left shift of negative value -36
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior checksum.c:186:20
Unlike some checksum routines that use the defined semantics of
2's-complement unsigned overflow to their advantage, this one
gets the wrong value if it is allowed to overflow, due to the
use of mod-255.
Convert c1 to uint64_t to avoid overflow.
checksum.c:163:16: runtime error: unsigned integer overflow: NNN + NNN
cannot be represented in type 'unsigned int'
Use integers during subtraction to avoid implicit conversion to unsigned
when calculating both x and y
checksum.c:172:18: runtime error: unsigned integer overflow: NNN - NNN
cannot be represented in type 'unsigned int'
checksum.c:172:9: runtime error: implicit conversion from type
'unsigned int' of value NNN (32-bit, unsigned) to type 'int' changed
the value to -NNN (32-bit, signed)
checksum.c:173:12: runtime error: unsigned integer overflow: NNN - NNN
cannot be represented in type 'unsigned int'
checksum.c:173:9: runtime error: implicit conversion from type
'unsigned int' of value NNN (32-bit, unsigned) to type 'int' changed
the value to -NNN (32-bit, signed)
Thus sizeof(*fsidp) is > 14.
Delete the else block as dead code and the two useless if.
This should remove two Visual Studio warnings:
parsenfsfh.c(318,25): warning C4127: conditional expression is constant
parsenfsfh.c(319,22): warning C4127: conditional expression is constant
Guy Harris [Tue, 7 Jan 2025 20:02:17 +0000 (12:02 -0800)]
Fix comments. [skip ci]
Yes, the offending set of *BSDs (FreeBSD, DragonFly BSD, and
CupertinoBSD) all do define IPPROTO_PIGP. And the #defines are
IPPROTO_xxx, not IP_PROTO_xxx.
Guy Harris [Tue, 7 Jan 2025 07:23:21 +0000 (23:23 -0800)]
Add comments about the IGRP/EIGRP protocol number and #define mess.
The current IANA protocol number assignments page lists 9 as "any
private interior gateway (used by Cisco for their IGRP)" and 88 as
"EIGRP" from Cisco.
Recent FreeBSD and DragonFly BSD <netinet/in.h> headers define
IP_PROTO_IGRP as 9 and IP_PROTO_IGRP as 88. We define IP_PROTO_PIGP
("private interior gateway protocol") as 9 and IP_PROTO_EIGRP as 88;
those names* better match what the current protocol number assignments
say.
Guy Harris [Sat, 4 Jan 2025 23:29:19 +0000 (15:29 -0800)]
tcpdump: show error message for PCAP_ERROR_CAPTURE_NOTSUP.
If an attempt to open a capture device failed because capturing isn't
supported on that device, check whether an error message with a further
explanation was provided and, if so, report it.
Francois-Xavier Le Bail [Fri, 3 Jan 2025 15:08:32 +0000 (16:08 +0100)]
IP: Use ND_TTEST_LEN() instead of a custom bounds check
This avoids an invalid-pointer-pair AddressSanitizer error with options
-fsanitize=address -fsanitize=pointer-compare
and
ASAN_OPTIONS=detect_invalid_pointer_pairs=1
The error was:
ip_printroute_asan : TEST FAILED[...]
0x60600000006a is located 14 bytes after 60-byte region
[0x606000000020,0x60600000005c)
allocated by thread T0 here:
#0 0x558ce1c5390e in malloc
(/home/cpe/soft-origin/tcpdump/my-tcpdump/tcpdump+0x1fd90e)
#1 0x558ce1efbba3 in pcap_check_header
/home/cpe/soft-origin/tcpdump/my-libpcap/sf-pcap.c:480:14
0x60600000005c is located 0 bytes after 60-byte region
[0x606000000020,0x60600000005c)
allocated by thread T0 here:
#0 0x558ce1c5390e in malloc
(/home/cpe/soft-origin/tcpdump/my-tcpdump/tcpdump+0x1fd90e)
#1 0x558ce1efbba3 in pcap_check_header
/home/cpe/soft-origin/tcpdump/my-libpcap/sf-pcap.c:480:14
SUMMARY: AddressSanitizer: invalid-pointer-pair
/home/cpe/soft-origin/tcpdump/my-tcpdump/print-ip.c:429:55 in ip_print
Francois-Xavier Le Bail [Sun, 22 Dec 2024 14:12:56 +0000 (15:12 +0100)]
Add sub-second packet timestamp checks for invalid micro/nano
Now prints e.g.:
2 17:16:10.1000000 (invalid ms) IP [...]
3 17:16:10.2147483648 (invalid ms) IP [...]
or
2 17:16:10.1000000000 (invalid ns) IP [...]
3 17:16:10.2147483648 (invalid ns) IP [...]
Denis Ovsienko [Tue, 17 Dec 2024 19:33:40 +0000 (19:33 +0000)]
Cirrus CI: Do not install coreutils on macOS. [skip appveyor]
libpcap build & test process now tolerates a missing timeout(1), so
let's keep the build environment as close to the original as possible.
This reverts commit 673a2fe.
Guy Harris [Tue, 17 Dec 2024 09:52:52 +0000 (01:52 -0800)]
pflog: don't use PF_ as a prefix for #defines.
PF_ is used as a prefix for packet family values, and that may cause a
collision between PF_ packet family values, such as PF_DIVERT, and PF_
action valus, such as... PF_DIVERT.
Use PFACT_ for action values and PFDIR_ for direction values.
projects / tcpdump / log
