On Tue, Mar 07, 2023 at 09:35:28AM +0100, p...@delphinusdns.org wrote:
> >Synopsis: unsafe macro in tcpdump/print-ike.c and /etc/tcpdump.conf
> >Category: user
> >Environment:
> System : OpenBSD 7.2
> Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022
>
> r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
>
> Architecture: OpenBSD.arm64
> Machine : arm64
> >Description:
> The macro TCHECK() is undef'ed in print-ike.c and a worse macro that
> didn't see repeated fixes is added. I saw this while "fixing" tcpdump with
<cut>
I'm seeing other things in print-ike.c which makes me happy that I did this
policy thing. I'm not very far into the execution flow but I think it can
be crashed. Please follow with me, first in ike.h:
#define IKEV2_PAYLOAD_TYPES_INITIALIZER \
{ "SA", /* 33 */ \
"KE", /* 34 */ \
"IDi", /* 35 */ \
"IDr", /* 36 */ \
"CERT", /* 37 */ \
"CERTREQ", /* 38 */ \
"AUTH", /* 39 */ \
"NONCE", /* 40 */ \
"N", /* 41 */ \
"D", /* 42 */ \
"V", /* 43 */ \
"TSi", /* 44 */ \
"TSr", /* 45 */ \
"E", /* 46 */ \
"CP", /* 47 */ \
"EAP", /* 48 */ \
}
There is 16 elements. This #define is then used in print-ike.c like so:
842 static const char *plv2types[] = IKEV2_PAYLOAD_TYPES_INITIALIZER
;
843 u_int8_t next_type;
And then there is this check:
853 if (type < PAYLOAD_PRIVATE_MIN && type >= PAYLOAD_IKEV2_SA)
854 printf("\n\t%spayload: %s len: %hu", ike_tab_offset(),
855 plv2types[type - PAYLOAD_IKEV2_SA], this_len);
$ grep PAYLOAD_PRIVATE_MIN ike.h
#define PAYLOAD_PRIVATE_MIN 128
$ grep PAYLOAD_IKEV2_SA ike.h
#define PAYLOAD_IKEV2_SA 33
Meaning type can be a value between 33 and 127. But there is only 16 elements
in char *plv2types[] so if types is say 127 it will read beyond this array.
I hope I'm not dreaming. Please confirm I'm not dreaming. I think this is a
boom on tcpdump. Do I need to write a proof of concept or are you following
me?
Best Regards,
-peter
