IPv6: Report another invalid case as invalid, not truncated

When the payload+header length is > (original) length, output example: [payload+header length 105 > length 104] (invalid) We treat this as a warning and so don't stop decoding (as before). Add a test file. Update a test output accordingly.
the-tcpdump-group · Aug 26, 2023 · e570e6b · e570e6b
1 parent 0a035a4
commit e570e6b
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 5 deletions.
diff --git a/print-ip6.c b/print-ip6.c
@@ -275,9 +275,12 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	 */
 	if (payload_len != 0) {
 		len = payload_len + sizeof(struct ip6_hdr);
-		if (length < len)
-			ND_PRINT("truncated-ip6 - %u bytes missing!",
-				len - length);
+		if (len > length) {
+			ND_PRINT("[payload+header length %u > length %u]",
+				 len, length);
+			nd_print_invalid(ndo);
+			ND_PRINT(" ");
+		}
 	} else
 		len = length + sizeof(struct ip6_hdr);
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -360,6 +360,7 @@ ipv6-srh-tlv-hmac-v ipv6-srh-tlv-hmac.pcap ipv6-srh-tlv-hmac-v.out -v
 ipv6-srh-tlv-pad1-padn-5 ipv6-srh-tlv-pad1-padn-5.pcap ipv6-srh-tlv-pad1-padn-5.out
 ipv6-srh-tlv-pad1-padn-5-v ipv6-srh-tlv-pad1-padn-5.pcap ipv6-srh-tlv-pad1-padn-5-v.out -v
 ipv6_invalid_length ipv6_invalid_length.pcap ipv6_invalid_length.out
+ipv6_invalid_length_2 ipv6_invalid_length_2.pcap ipv6_invalid_length_2.out -v
 
 # Loopback/CTP test case
 loopback	loopback.pcap		loopback.out

diff --git a/tests/cve2015-0261-ipv6.out b/tests/cve2015-0261-ipv6.out
@@ -1,2 +1,2 @@
-    1  13:55:31.300000 IP6 truncated-ip6 - 26325 bytes missing!(class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:6767:6767:6767:6767:6767:6705: mobility: BU seq#=26471 HL lifetime=105884(type-0x67: len=103) [|mobility]
-    2  15:21:11.300000 IP6 truncated-ip6 - 26325 bytes missing!(class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:4f67:6767:6767:6767:6767:6767: (header length 8 is too small for type 6) [|mobility]
+    1  13:55:31.300000 IP6 [payload+header length 26510 > length 185] (invalid) (class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:6767:6767:6767:6767:6767:6705: mobility: BU seq#=26471 HL lifetime=105884(type-0x67: len=103) [|mobility]
+    2  15:21:11.300000 IP6 [payload+header length 26510 > length 185] (invalid) (class 0x76, flowlabel 0x76767, hlim 103, next-header Mobility (135) payload length: 26470) 6767:6767:6767:6767:6767:6767:6767:6767 > 6767:6767:4f67:6767:6767:6767:6767:6767: (header length 8 is too small for type 6) [|mobility]
diff --git a/tests/ipv6_invalid_length_2.out b/tests/ipv6_invalid_length_2.out
@@ -0,0 +1 @@
+    1  08:59:14.753767 IP6 [payload+header length 105 > length 104] (invalid) (flowlabel 0x67576, hlim 64, next-header UDP (17) payload length: 65) 2605:bc80:3010:104::8cd3:9ce.45678 > 2600:3c00:e000:19::1.53: [udp sum ok] 34053+ [1au] A? www.tcpdump.org. (56)
diff --git a/tests/ipv6_invalid_length_2.pcap b/tests/ipv6_invalid_length_2.pcap