IP6OPTS: Modernize packet parsing and make fixes

fxlb · fxlb · commit 641bd6e2d64f · 2025-07-27T16:26:45.000Z
Define ND_LONGJMP_FROM_TCHECK and remove four 'trunc' labels.
Report invalid packets as invalid with a reason, not truncated.
Use ND_ICHECKMSG_U() for some length tests and add four 'invalid' labels.
Update the output for unknown options/suboptions.
Use some unsigned when needed.
Add some 'const'.

Update the outputs of some tests accordingly.
diff --git a/print-ip6opts.c b/print-ip6opts.c
@@ -33,114 +33,92 @@
 
 #include "netdissect-stdinc.h"
 
+#define ND_LONGJMP_FROM_TCHECK
 #include "netdissect.h"
 #include "addrtoname.h"
 #include "extract.h"
 
 #include "ip6.h"
 
 static int
-ip6_sopt_print(netdissect_options *ndo, const u_char *bp, int len)
+ip6_sopt_print(netdissect_options *ndo, const u_char *bp, const u_int len)
 {
-    int i;
-    int optlen;
+    unsigned int i, opttype, optlen;
 
     for (i = 0; i < len; i += optlen) {
-	if (GET_U_1(bp + i) == IP6OPT_PAD1)
+	opttype = GET_U_1(bp + i);
+	if (opttype == IP6OPT_PAD1)
 	    optlen = 1;
 	else {
-	    if (i + 1 < len)
-		optlen = GET_U_1(bp + i + 1) + 2;
-	    else
-		goto trunc;
+	    ND_ICHECKMSG_U("remaining length", (u_int)(len - i), <,
+			   IP6OPT_MINLEN);
+	    optlen = GET_U_1(bp + i + 1) + 2;
 	}
-	if (i + optlen > len)
-	    goto trunc;
+	ND_ICHECKMSG_U("remaining length", (u_int)(len - i), <, optlen);
+	ND_TCHECK_LEN(bp + i, optlen);
 
-	switch (GET_U_1(bp + i)) {
+	switch (opttype) {
 	case IP6OPT_PAD1:
             ND_PRINT(", pad1");
 	    break;
 	case IP6OPT_PADN:
-	    if (len - i < IP6OPT_MINLEN) {
-		ND_PRINT(", padn: trunc");
-		goto trunc;
-	    }
             ND_PRINT(", padn");
 	    break;
 	default:
-	    if (len - i < IP6OPT_MINLEN) {
-		ND_PRINT(", sopt_type %u: trunc)", GET_U_1(bp + i));
-		goto trunc;
-	    }
-	    ND_PRINT(", sopt_type 0x%02x: len=%u", GET_U_1(bp + i),
-                     GET_U_1(bp + i + 1));
+	    ND_PRINT(", unknown subopt-type 0x%02x len=%u", opttype, optlen - 2);
 	    break;
 	}
     }
     return 0;
 
-trunc:
+invalid:
     return -1;
 }
 
 static int
-ip6_opt_process(netdissect_options *ndo, const u_char *bp, int len,
+ip6_opt_process(netdissect_options *ndo, const u_char *bp, const u_int len,
 		int *found_jumbop, uint32_t *payload_len)
 {
-    int i;
-    int optlen = 0;
+    unsigned int i, opttype, optlen;
     int found_jumbo = 0;
     uint32_t jumbolen = 0;
 
     if (len == 0)
         return 0;
     for (i = 0; i < len; i += optlen) {
-	if (GET_U_1(bp + i) == IP6OPT_PAD1)
+	opttype = GET_U_1(bp + i);
+	if (opttype == IP6OPT_PAD1)
 	    optlen = 1;
 	else {
-	    if (i + 1 < len)
-		optlen = GET_U_1(bp + i + 1) + 2;
-	    else
-		goto trunc;
+	    ND_ICHECKMSG_U("remaining length", (u_int)(len - i), <,
+			   IP6OPT_MINLEN);
+	    optlen = GET_U_1(bp + i + 1) + 2;
 	}
-	if (i + optlen > len)
-	    goto trunc;
+	ND_ICHECKMSG_U("remaining length", (u_int)(len - i), <, optlen);
+	ND_TCHECK_LEN(bp + i, optlen);
 
-	switch (GET_U_1(bp + i)) {
+	switch (opttype) {
 	case IP6OPT_PAD1:
 	    if (ndo->ndo_vflag)
                 ND_PRINT("(pad1)");
 	    break;
 	case IP6OPT_PADN:
-	    if (len - i < IP6OPT_MINLEN) {
-		ND_PRINT("(padn: trunc)");
-		goto trunc;
-	    }
 	    if (ndo->ndo_vflag)
                 ND_PRINT("(padn)");
 	    break;
 	case IP6OPT_ROUTER_ALERT:
-	    if (len - i < IP6OPT_RTALERT_LEN) {
-		ND_PRINT("(rtalert: trunc)");
-		goto trunc;
-	    }
-	    if (GET_U_1(bp + i + 1) != IP6OPT_RTALERT_LEN - 2) {
-		ND_PRINT("(rtalert: invalid len %u)", GET_U_1(bp + i + 1));
-		goto trunc;
-	    }
+	    ND_ICHECKMSG_U("(rtalert) remaining length", (u_int)(len - i), <,
+			   IP6OPT_RTALERT_LEN);
+	    ND_ICHECKMSG_U("(rtalert) length", optlen - 2, !=,
+			   IP6OPT_RTALERT_LEN - 2);
 	    if (ndo->ndo_vflag)
 		ND_PRINT("(rtalert: 0x%04x) ", GET_BE_U_2(bp + i + 2));
 	    break;
 	case IP6OPT_JUMBO:
-	    if (len - i < IP6OPT_JUMBO_LEN) {
-		ND_PRINT("(jumbo: trunc)");
-		goto trunc;
-	    }
-	    if (GET_U_1(bp + i + 1) != IP6OPT_JUMBO_LEN - 2) {
-		ND_PRINT("(jumbo: invalid len %u)", GET_U_1(bp + i + 1));
-		goto trunc;
-	    }
+	    ND_ICHECKMSG_U("(jumbo) remaining length", (u_int)(len - i), <,
+			   IP6OPT_JUMBO_LEN);
+	    ND_ICHECKMSG_U("(jumbo) length", optlen - 2, !=,
+			   IP6OPT_JUMBO_LEN - 2);
 	    jumbolen = GET_BE_U_4(bp + i + 2);
 	    if (found_jumbo) {
 		/* More than one Jumbo Payload option */
@@ -176,40 +154,31 @@ ip6_opt_process(netdissect_options *ndo, const u_char *bp, int len,
 	    }
 	    break;
         case IP6OPT_HOME_ADDRESS:
-	    if (len - i < IP6OPT_HOMEADDR_MINLEN) {
-		ND_PRINT("(homeaddr: trunc)");
-		goto trunc;
-	    }
-	    if (GET_U_1(bp + i + 1) < IP6OPT_HOMEADDR_MINLEN - 2) {
-		ND_PRINT("(homeaddr: invalid len %u)", GET_U_1(bp + i + 1));
-		goto trunc;
-	    }
+	    ND_ICHECKMSG_U("(homeaddr) remaining length", (u_int)(len - i), <,
+			   IP6OPT_HOMEADDR_MINLEN);
+	    ND_ICHECKMSG_U("(homeaddr) length", optlen - 2, <,
+			   IP6OPT_HOMEADDR_MINLEN - 2);
 	    if (ndo->ndo_vflag) {
 		ND_PRINT("(homeaddr: %s", GET_IP6ADDR_STRING(bp + i + 2));
-		if (GET_U_1(bp + i + 1) > IP6OPT_HOMEADDR_MINLEN - 2) {
+		if (optlen > IP6OPT_HOMEADDR_MINLEN) {
 		    if (ip6_sopt_print(ndo, bp + i + IP6OPT_HOMEADDR_MINLEN,
 				       (optlen - IP6OPT_HOMEADDR_MINLEN)) == -1)
-			goto trunc;
+			goto invalid;
 		}
 		ND_PRINT(")");
 	    }
 	    break;
 	default:
-	    if (len - i < IP6OPT_MINLEN) {
-		ND_PRINT("(type %u: trunc)", GET_U_1(bp + i));
-		goto trunc;
-	    }
 	    if (ndo->ndo_vflag)
-		ND_PRINT("(opt_type 0x%02x: len=%u)", GET_U_1(bp + i),
-			 GET_U_1(bp + i + 1));
+		ND_PRINT("(unknown opt-type 0x%02x len=%u)", opttype, optlen - 2);
 	    break;
 	}
     }
     if (ndo->ndo_vflag)
         ND_PRINT(" ");
     return 0;
 
-trunc:
+invalid:
     return -1;
 }
 
@@ -227,11 +196,11 @@ hbhopt_process(netdissect_options *ndo, const u_char *bp, int *found_jumbo,
     ND_PRINT(" ");
     if (ip6_opt_process(ndo, (const u_char *)dp + sizeof(*dp),
 			hbhlen - sizeof(*dp), found_jumbo, jumbolen) == -1)
-	goto trunc;
+	goto invalid;
     return hbhlen;
 
-trunc:
-    nd_print_trunc(ndo);
+invalid:
+    nd_print_invalid(ndo);
     return -1;
 }
 
@@ -254,12 +223,12 @@ dstopt_process(netdissect_options *ndo, const u_char *bp)
 	 */
 	if (ip6_opt_process(ndo, (const u_char *)dp + sizeof(*dp),
 			    dstoptlen - sizeof(*dp), NULL, NULL) == -1)
-	    goto trunc;
+	    goto invalid;
     }
 
     return dstoptlen;
 
-trunc:
-    nd_print_trunc(ndo);
+invalid:
+    nd_print_invalid(ndo);
     return -1;
 }
diff --git a/tests/cve2015-0261-crash.out b/tests/cve2015-0261-crash.out
@@ -1 +1 @@
-    1  1995-08-15 05:27:12.999999 IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH  [|hbh]
+    1  1995-08-15 05:27:12.999999 IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH  [remaining length 6 < 50] (invalid)
diff --git a/tests/erspan-type-iii-pb-1.out b/tests/erspan-type-iii-pb-1.out
@@ -1,2 +1,2 @@
-    1  1972-02-16 17:25:18.554240 IP6 (class 0x30, flowlabel 0x00001, hlim 1, next-header DSTOPT (60), payload length 288) 4120:7467:1700:4200:143:100:7f01:400e > 4591:bfd7:cd87:d7:68:38:101:e800: DSTOPT (padn)(pad1)(padn)(opt_type 0x40: len=1)(pad1)(opt_type 0x7f: len=0)(pad1)(pad1) GREv0, Flags [sequence# present, source routing present], seq 4280811777, length 272
+    1  1972-02-16 17:25:18.554240 IP6 (class 0x30, flowlabel 0x00001, hlim 1, next-header DSTOPT (60), payload length 288) 4120:7467:1700:4200:143:100:7f01:400e > 4591:bfd7:cd87:d7:68:38:101:e800: DSTOPT (padn)(pad1)(padn)(unknown opt-type 0x40 len=1)(pad1)(unknown opt-type 0x7f len=0)(pad1)(pad1) GREv0, Flags [sequence# present, source routing present], seq 4280811777, length 272
 	erspan type3 session 0 bso Short cos 0 ft Ethernet [|erspan]
diff --git a/tests/ipv6-next-header-oobr-1.out b/tests/ipv6-next-header-oobr-1.out
@@ -1 +1 @@
-    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [|hbh]
+    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [remaining length 6 < 50] (invalid)
diff --git a/tests/ipv6-next-header-oobr-2.out b/tests/ipv6-next-header-oobr-2.out
@@ -1 +1 @@
-    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [|hbh]
+    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [remaining length 6 < 50] (invalid)
diff --git a/tests/ipv6-too-long-jumbo.out b/tests/ipv6-too-long-jumbo.out
@@ -1 +1 @@
-    1  2012-06-06 12:40:23.226395 IP6 (class 0xc0, hlim 0, next-header HBH (0), payload length 0) 1:6:1a28:312:d7cb:b318:34e5:d3ea > 2b7f:cd1f:ec3c:fb9c:e731:d16b:a8fe:ba8c: HBH (opt_type 0x1a: len=0)(padn)(opt_type 0x16: len=0)(opt_type 0x64: len=114)(jumbo: 3858694210) (opt_type 0x42: len=3)(opt_type 0xfe: len=6)(pad1)(jumbo: 248 - already seen) (opt_type 0x0e: len=8)(opt_type 0x07: len=4)(opt_type 0xf1: len=60) [header+payload length 3858694250 > length 476] (invalid)  ip-proto-12 3858693802
+    1  2012-06-06 12:40:23.226395 IP6 (class 0xc0, hlim 0, next-header HBH (0), payload length 0) 1:6:1a28:312:d7cb:b318:34e5:d3ea > 2b7f:cd1f:ec3c:fb9c:e731:d16b:a8fe:ba8c: HBH (unknown opt-type 0x1a len=0)(padn)(unknown opt-type 0x16 len=0)(unknown opt-type 0x64 len=114)(jumbo: 3858694210) (unknown opt-type 0x42 len=3)(unknown opt-type 0xfe len=6)(pad1)(jumbo: 248 - already seen) (unknown opt-type 0x0e len=8)(unknown opt-type 0x07 len=4)(unknown opt-type 0xf1 len=60) [header+payload length 3858694250 > length 476] (invalid)  ip-proto-12 3858693802
diff --git a/tests/ipv6hdr-heapoverflow-v.out b/tests/ipv6hdr-heapoverflow-v.out
@@ -1 +1 @@
-    1  1995-08-15 05:27:12.999999 IP6 (class 0x33, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [|hbh]
+    1  1995-08-15 05:27:12.999999 IP6 (class 0x33, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [remaining length 6 < 50] (invalid)
diff --git a/tests/ipv6hdr-heapoverflow.out b/tests/ipv6hdr-heapoverflow.out
@@ -1 +1 @@
-    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [|hbh]
+    1  1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH  [remaining length 6 < 50] (invalid)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`- 1 1995-08-15 05:27:12.999999 IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH [\|hbh]`
	`1`	`+ 1 1995-08-15 05:27:12.999999 IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header HBH (0), payload length 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH [remaining length 6 < 50] (invalid)`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`- 1 1972-02-16 17:25:18.554240 IP6 (class 0x30, flowlabel 0x00001, hlim 1, next-header DSTOPT (60), payload length 288) 4120:7467:1700:4200:143:100:7f01:400e > 4591:bfd7:cd87:d7:68:38:101:e800: DSTOPT (padn)(pad1)(padn)(opt_type 0x40: len=1)(pad1)(opt_type 0x7f: len=0)(pad1)(pad1) GREv0, Flags [sequence# present, source routing present], seq 4280811777, length 272`
	`1`	`+ 1 1972-02-16 17:25:18.554240 IP6 (class 0x30, flowlabel 0x00001, hlim 1, next-header DSTOPT (60), payload length 288) 4120:7467:1700:4200:143:100:7f01:400e > 4591:bfd7:cd87:d7:68:38:101:e800: DSTOPT (padn)(pad1)(padn)(unknown opt-type 0x40 len=1)(pad1)(unknown opt-type 0x7f len=0)(pad1)(pad1) GREv0, Flags [sequence# present, source routing present], seq 4280811777, length 272`
`2`	`2`	`erspan type3 session 0 bso Short cos 0 ft Ethernet [\|erspan]`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`- 1 1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH [\|hbh]`
	`1`	`+ 1 1995-08-15 05:27:12.999999 IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: HBH [remaining length 6 < 50] (invalid)`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`- 1 2012-06-06 12:40:23.226395 IP6 (class 0xc0, hlim 0, next-header HBH (0), payload length 0) 1:6:1a28:312:d7cb:b318:34e5:d3ea > 2b7f:cd1f:ec3c:fb9c:e731:d16b:a8fe:ba8c: HBH (opt_type 0x1a: len=0)(padn)(opt_type 0x16: len=0)(opt_type 0x64: len=114)(jumbo: 3858694210) (opt_type 0x42: len=3)(opt_type 0xfe: len=6)(pad1)(jumbo: 248 - already seen) (opt_type 0x0e: len=8)(opt_type 0x07: len=4)(opt_type 0xf1: len=60) [header+payload length 3858694250 > length 476] (invalid) ip-proto-12 3858693802`
	`1`	+ 1 2012-06-06 12:40:23.226395 IP6 (class 0xc0, hlim 0, next-header HBH (0), payload length 0) 1:6:1a28:312:d7cb:b318:34e5:d3ea > 2b7f:cd1f:ec3c:fb9c:e731:d16b:a8fe:ba8c: HBH (unknown opt-type 0x1a len=0)(padn)(unknown opt-type 0x16 len=0)(unknown opt-type 0x64 len=114)(jumbo: 3858694210) (unknown opt-type 0x42 len=3)(unknown opt-type 0xfe len=6)(pad1)(jumbo: 248 - already seen) (unknown opt-type 0x0e len=8)(unknown opt-type 0x07 len=4)(unknown opt-type 0xf1 len=60) [header+payload length 3858694250 > length 476] (invalid) ip-proto-12 3858693802