Fix handling of Jumbo option when it's a destination option.

guyharris · guyharris · commit b6dde136cd50 · 2020-04-21T14:31:15.000-07:00
Pass null pointers to ip6_opt_process() when processing destination
options, and have ip6_opt_process() check for a null pointer-to-payload-
length when processing a Jumbo option and, if the pointer is null,
report it as not being a hop-by-hop option.

This fixes an uninitialized-data fetch.
diff --git a/print-ip6opts.c b/print-ip6opts.c
@@ -150,12 +150,19 @@ ip6_opt_process(netdissect_options *ndo, const u_char *bp, int len,
 		    ND_PRINT("(jumbo: %u - already seen) ", jumbolen);
 	    } else {
 		found_jumbo = 1;
-		if (*payload_len != 0) {
+		if (payload_len == NULL) {
+		    /* Not a hop-by-hop option - not valid */
+		    if (ndo->ndo_vflag)
+			ND_PRINT("(jumbo: %u - not a hop-by-hop option) ", jumbolen);
+		} else if (*payload_len != 0) {
 		    /* Payload length was non-zero - not valid */
 		    if (ndo->ndo_vflag)
 			ND_PRINT("(jumbo: %u - payload len != 0) ", jumbolen);
 		} else {
-		    /* Payload length was zero in the IPv6 header */
+		    /*
+		     * This is a hop-by-hop option, and Payload length
+		     * was zero in the IPv6 header.
+		     */
 		    if (jumbolen < 65536) {
 			/* Too short */
 			if (ndo->ndo_vflag)
@@ -235,8 +242,6 @@ dstopt_process(netdissect_options *ndo, const u_char *bp)
 {
     const struct ip6_dest *dp = (const struct ip6_dest *)bp;
     u_int dstoptlen = 0;
-    int found_jumbo;
-    uint32_t jumbolen;
 
     ndo->ndo_protocol = "dstopt";
     ND_TCHECK_1(dp->ip6d_len);
@@ -245,12 +250,12 @@ dstopt_process(netdissect_options *ndo, const u_char *bp)
     ND_PRINT("DSTOPT ");
     if (ndo->ndo_vflag) {
 	/*
-	 * The Jumbo Payload option is a hop-by-hop option; we print,
-	 * but don't honor, Jumbo Payload destination options.
+	 * The Jumbo Payload option is a hop-by-hop option; we don't
+	 * honor Jumbo Payload destination options, reporting them
+	 * as invalid.
 	 */
 	if (ip6_opt_process(ndo, (const u_char *)dp + sizeof(*dp),
-			    dstoptlen - sizeof(*dp), &found_jumbo,
-			    &jumbolen) == -1)
+			    dstoptlen - sizeof(*dp), NULL, NULL) == -1)
 	    goto trunc;
     }
 
