From 8dd055c9184c81eb7e828f52d821096d1b2b9b0f Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 12:42:36 +0300 Subject: [PATCH 01/14] Add boundary checks to prevent out-of-bounds access in BgpLayer::getHeaderLen() --- Packet++/src/Layer.cpp | 45 +++++++++++++++++++++++++++++++++++++++++ Packet++/src/Packet.cpp | 2 ++ 2 files changed, 47 insertions(+) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index ced53ab4ba..f4727fb123 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -78,6 +78,25 @@ namespace pcpp return true; } + if ((size_t)offsetInLayer > m_DataLen) + { + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } + + if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + > (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen()) + { + PCPP_LOG_ERROR("Requested offset is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer > m_NextLayer->m_Data - m_Data) + { + PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); + return false; + } + return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend); } @@ -107,6 +126,32 @@ namespace pcpp return true; } + if ((size_t)offsetInLayer >= m_DataLen) + { + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } + + if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length"); + return false; + } + + if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten + > (ptrdiff_t)(m_Packet->m_RawPacket->getRawDataLen())) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten + > m_NextLayer->m_Data - m_Data) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); + return false; + } + return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten); } diff --git a/Packet++/src/Packet.cpp b/Packet++/src/Packet.cpp index a60ea2ce78..ccf5fd7332 100644 --- a/Packet++/src/Packet.cpp +++ b/Packet++/src/Packet.cpp @@ -671,6 +671,8 @@ namespace pcpp // assuming header length of the layer that requested to be extended hasn't been enlarged yet size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); dataPtr += headerLen; + if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) + break; curLayer = curLayer->getNextLayer(); } From 673f2551dbace0d00703fe90fa1664b345b8c645 Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 12:49:06 +0300 Subject: [PATCH 02/14] Add poc files to regression_samples --- ...97c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b | Bin 0 -> 624 bytes ...5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier | 3 +++ ...acf7e778f51603ccbc5ddf948c0b081617668bb56cee4 | Bin 0 -> 1644 bytes ...bc5ddf948c0b081617668bb56cee4:Zone.Identifier | 3 +++ ...c052febfbc74b0561536687be3b7ce7b9508e8b9726d6 | Bin 0 -> 444 bytes ...1536687be3b7ce7b9508e8b9726d6:Zone.Identifier | 3 +++ ...6eff00c915ed4b643034dad7e9986fd89a43244d6be97 | Bin 0 -> 624 bytes ...3034dad7e9986fd89a43244d6be97:Zone.Identifier | 3 +++ ...f17eecf25b1d7c58633f96b6906183c626cbdfc35b325 | Bin 0 -> 624 bytes ...633f96b6906183c626cbdfc35b325:Zone.Identifier | 3 +++ ...990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c | Bin 0 -> 624 bytes ...1d914c9ead914e26e3bfc3e88221c:Zone.Identifier | 3 +++ ...6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95 | Bin 0 -> 444 bytes ...b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier | 3 +++ ...384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837 | Bin 0 -> 444 bytes ...4e27a5f091e9c7b1fce89d9c18837:Zone.Identifier | 3 +++ ...3ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7 | Bin 0 -> 444 bytes ...a236892959f3300e1c9e8a9c56ba7:Zone.Identifier | 3 +++ 18 files changed, 27 insertions(+) create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7 create mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b b/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b new file mode 100644 index 0000000000000000000000000000000000000000..847818881e0865cf06b1dcad4eae8ba166e7f589 GIT binary patch literal 624 zcmd<$<>g9XU|{gI(UxKa(*L1=g~5u!H6^noIk7-NBRsPxwKyZOC|gs(SkFk$SV6-* zvqYf`!Y)Wm&Q45EO;JcJhREs~Y61-cf&?H2nJEIL85mf=Y&IbO4@d$CmYiW_xDq4r z{1%W8!c(4o{~YSe!Jz)Nyqkl;^#CLDi*yGD2e!@o4y@q%3B-RUNHJ{g^Wv4!xP50@ zg9O9V_9Z}D7&*8YavtlvmwfdQ<^veb;LP~{|4R)AMnmAfV zRLTJX4hNRMFWkSVFi3DA0s&zJP$L5_BUsUmFyLZff@y`(44xzzp}@t(l>#D8zzhJ= he?e>pXOaw(IIsd9r!b>PHv$-fsDN}MfWZoia{xwx-f{o{ literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4 b/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4 new file mode 100644 index 0000000000000000000000000000000000000000..56d868d1da2c0026857da634ad2c3d533f36a300 GIT binary patch literal 1644 zcma)+Ur19?9LIm>>~_r{$aY zvd2bm&RItGY@;Yv`H)Y+K=7qdNr)a4f?>b!{WIHkNe}$)Ifr|G=X1Wl^ZOmGu~CZ< zQTL@Y#{~B~c2lT{x)MXWg?8qQVB`TvySsy#de+?WLI-q9)6K>G+{O4ro9*Z8dX^N{ zvu5h?J9_+!sp*q3M~BmsS7K+A33kGqS?uGRlcB3ThjHUr*3s#{L2lHX_+TSGrAHgjjEivC6H4MvZJH1$3CH5qE>IgDEsL$+pLfN}AuE5j$Y zPQ5QPa$q>RoSr(x&JMLiIsUgKsgiT3v>x>+*w0WDF!L?kmDYV4Nyp3SsT0S7H|^=I zB^)oOr#p`KUhLppb3g;1m4{xo~ zm+#;azcv#Z67OwoMfS zx|_B`v;SzTWyG@cCL`g>;JUn@tz_(1o0qw`Gnh+EBYHo$nUBx~wta75zPHWFdqYfH H+o0_)!SOBt literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6 b/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6 new file mode 100644 index 0000000000000000000000000000000000000000..27eda11ae534e0b94e5dde59e47cd542c52b7d25 GIT binary patch literal 444 zcmd<$<>fMAU|{gI(UxKa(*L1=g@KR3H6^noIk7;&NY6~q&;Te21R%8_bs|7q2*eBw zEMPVpkW~Vb00P5TtPGMlJv#$|d=LgIVPs&FIN&?&mpuam2ZQSYM#q!#4h;XFbL)@7|r0q`2RnHh65ub zQ$P~~g99@Q$fO1q7LWrRSV2_E0RawY5Ep2Y0vAL2M3`O}&EUcWl!KT7WDzifNr4Lp hV0vLRgA*xcFbb>@g6V|O49+B(AOZ9z(AA)@1^{+pgu4I$ literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97 b/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97 new file mode 100644 index 0000000000000000000000000000000000000000..b441d60d580b2cb9a651597b05aa020fc498fe32 GIT binary patch literal 624 zcmd<$<>g9XU|{gI(UxKa(*J?r7X!mD76vN@*ObhXpBJx; z#_c=P8YCE=wl4wN!pOnJkn>pQz2vKhARizD24^OqJsJ*-j7$MQmIE^j$fO1q7LfH0 ztRO1ofB=UB%ikC7UsM<*xFCT*nGsCL+CgjvPsZ;sR{**81YDuO#l@8ZB2Hi!M51>N btN_O;vN5EF$bl7%$l5_{(v1KHD=5wZ7~$Ru literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325 b/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325 new file mode 100644 index 0000000000000000000000000000000000000000..5386b26243d6c766f2806cffe8a780c9086b73a3 GIT binary patch literal 624 zcmd<$<>g9XU|{gI(UxKa(*L1=g~5u!H6^noIk7-NBRsPxwKyZOC|gs(SkFk$SV6-* zvqYf`!Y)Wm&Q45EO;JcJhREs~Y61-cf&?H2nJEIL85mf=Y&IbO4@d$CmYiW_xDq4r z{1%W8!c(4o{~YSe!Jz)Nyqkl;^#J3Mx9JWH4s4tE9azEj6NvvzkYd=}=fx|dar@4+ z1__3z?Mr~RFmiA)r%m*-m67@ zRLTJX4hNRMFWkSVFi3DA0s&|QI6xSjff`9Nf(d3jjArm8$p{55F0K?1aRO!lj7D-x i1~J|_umT>ZSd1VlL=LQAglUD*NUk8#2w<>+;v4{qtKAL& literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c b/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c new file mode 100644 index 0000000000000000000000000000000000000000..9cb865d46778e77392bfe63b5ff5b9fe80587d7e GIT binary patch literal 624 zcmd<$<>g9XU|{gI(UxKa(*L1=g~5u!H6^noIk7-NBRsPxwKyZOC|gs(SkFk$SV6-* zvqYf`!Y)Wm&Q45EO;JcJhREs~Y61-cf&?H2nJEIL85mf=Y&IbO4@d$CmYiW_xDq4r z{1%W8!c(4o{~YSe!Jz)Nyqkl;^#J3Ux9JWH4s4tE9azEj6NvvzkYd=}=fx|dar@4+ z1__3z?Mr~RFmiA)r%m*-8KJ<%#gzggPQVNR(tkm0 e24|8Ck~pve9;Yy)NH+o)f~bIWBY?pQigN&pJ>MPx literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95 b/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95 new file mode 100644 index 0000000000000000000000000000000000000000..b181304e864ed48c7ff882ff0c699af5ec0528e5 GIT binary patch literal 444 zcmd<$<>fMAU|{gI(UxKa(*L1=g@KR3H6^noIk7;&NY6~q&;Te21R%8_bs|7q2*eBw zEMPVpkW~Vb00P5TtPGMlJv#$|d=LgIVPs&FIN&?&mpuam2ZQSYM#q!#4h;XFbL)@7|r0q`2RnHh65ub z6VYz7gK37+NM-~uF)%nVvw&RFz`_FZgaa#xN;x3F;SAz3Ffb`_0Rfs3{~4TsIw9^L Y!VE@%H9{CBIFn?81kjB@8$n?W0E5AS!~g&Q literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837 b/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837 new file mode 100644 index 0000000000000000000000000000000000000000..eb6c488d748c1fb178bcaf3200a9bbc7bae5eda3 GIT binary patch literal 444 zcmd<$<>fMAU|{gI(UxKa(*L1=g@KR3H6^noIk7;&NY6~q&;Te21R%8_bs|7q2*eBw zEMPVpkW~Vb00P5TtPGMlJv#$|d=LgIVPs&FIN&?&mpuam2ZQSYM#q!#4h;XFbL)@7|r0q1TCGAb{zG(F{%` cxkF%$5KJeGW^l%0f&fmRNC5o_bTuff0sB;fJOBUy literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7 b/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7 new file mode 100644 index 0000000000000000000000000000000000000000..3af4bececcf5c26bd72d9778480fd1e85b0b1ef8 GIT binary patch literal 444 zcmd<$<>fMAU|{gI(UxKa(*L1=g@KR3H6^noIk7;&NY6~q&;Te21R%8_bs|7q2*eBw zEMPVpkW~Vb00P5TtPGMlJv#$|d=LgIVPs&FIN&?&mpuam2ZQSYM#q!#4h;XFbL)@7|r0q`2RnHh65ub zQveeKgM%^)$fO1q7LWrRSV2_E0RawY5Ep2Y0vAL2M3`O}&ENvmiDU*dUNe{!xPSnr f7e+HUkzxj;z#1W#P8iMLOp*x_Kz{;V4GL=j7~zCl literal 0 HcmV?d00001 diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier new file mode 100644 index 0000000000..2c05c5ebcb --- /dev/null +++ b/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier @@ -0,0 +1,3 @@ +[ZoneTransfer] +ZoneId=3 +ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz From a97580847afd3aaa90349060b3b88a43df4395ae Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 16:00:08 +0300 Subject: [PATCH 03/14] Move common validation before branch point to avoid redundancy --- Packet++/src/Layer.cpp | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index f4727fb123..d023174e35 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -61,14 +61,14 @@ namespace pcpp return false; } - if (m_Packet == nullptr) + if ((size_t)offsetInLayer > m_DataLen) { - if ((size_t)offsetInLayer > m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } + if (m_Packet == nullptr) + { uint8_t* newData = new uint8_t[m_DataLen + numOfBytesToExtend]; memcpy(newData, m_Data, offsetInLayer); memcpy(newData + offsetInLayer + numOfBytesToExtend, m_Data + offsetInLayer, m_DataLen - offsetInLayer); @@ -78,12 +78,6 @@ namespace pcpp return true; } - if ((size_t)offsetInLayer > m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } - if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer > (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen()) { @@ -108,14 +102,14 @@ namespace pcpp return false; } - if (m_Packet == nullptr) + if ((size_t)offsetInLayer >= m_DataLen) { - if ((size_t)offsetInLayer >= m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } + if (m_Packet == nullptr) + { uint8_t* newData = new uint8_t[m_DataLen - numOfBytesToShorten]; memcpy(newData, m_Data, offsetInLayer); memcpy(newData + offsetInLayer, m_Data + offsetInLayer + numOfBytesToShorten, @@ -126,12 +120,6 @@ namespace pcpp return true; } - if ((size_t)offsetInLayer >= m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } - if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen) { PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length"); From 6b979b7493e92e3b9727db15d4a42df621c60c1e Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 16:34:24 +0300 Subject: [PATCH 04/14] Change C-style casts to static_cast --- Packet++/src/Layer.cpp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index d023174e35..8059570ed2 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -61,7 +61,7 @@ namespace pcpp return false; } - if ((size_t)offsetInLayer > m_DataLen) + if (static_cast(offsetInLayer) > m_DataLen) { PCPP_LOG_ERROR("Requested offset is larger than data length"); return false; @@ -78,14 +78,14 @@ namespace pcpp return true; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer - > (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen()) + if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) + > static_cast(m_Packet->m_RawPacket->getRawDataLen())) { PCPP_LOG_ERROR("Requested offset is larger than total packet length"); return false; } - if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer > m_NextLayer->m_Data - m_Data) + if (m_NextLayer != nullptr && static_cast(offsetInLayer) > m_NextLayer->m_Data - m_Data) { PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); return false; @@ -102,7 +102,7 @@ namespace pcpp return false; } - if ((size_t)offsetInLayer >= m_DataLen) + if (static_cast(offsetInLayer) >= m_DataLen) { PCPP_LOG_ERROR("Requested offset is larger than data length"); return false; @@ -120,21 +120,21 @@ namespace pcpp return true; } - if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen) + if (static_cast(offsetInLayer) + numOfBytesToShorten > m_DataLen) { PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length"); return false; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten - > (ptrdiff_t)(m_Packet->m_RawPacket->getRawDataLen())) + if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) + + static_cast(numOfBytesToShorten) > static_cast(m_Packet->m_RawPacket->getRawDataLen())) { PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); return false; } - if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten - > m_NextLayer->m_Data - m_Data) + if (m_NextLayer != nullptr && static_cast(offsetInLayer) + + static_cast(numOfBytesToShorten) > m_NextLayer->m_Data - m_Data) { PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); return false; From 1423ba7604dba1fe58041e9fcaa7258cd82b135d Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 16:49:28 +0300 Subject: [PATCH 05/14] Remove mistakenly added files --- ...c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier | 3 --- ...f7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier | 3 --- ...52febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier | 3 --- ...ff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier | 3 --- ...7eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier | 3 --- ...0dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier | 3 --- ...f3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier | 3 --- ...4a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier | 3 --- ...e05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier | 3 --- 9 files changed, 27 deletions(-) delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier delete mode 100644 Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz diff --git a/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier b/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier deleted file mode 100644 index 2c05c5ebcb..0000000000 --- a/Tests/Fuzzers/RegressionTests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier +++ /dev/null @@ -1,3 +0,0 @@ -[ZoneTransfer] -ZoneId=3 -ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz From 45f54c922ffdb2b5fd64cffc1be49ee907b63dbe Mon Sep 17 00:00:00 2001 From: Dashka Date: Wed, 10 Sep 2025 17:09:01 +0300 Subject: [PATCH 06/14] Add check to ensure offsetInLayer is not negative in Layer::extend/shorten --- Packet++/src/Layer.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index 8059570ed2..d549e5fd9a 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -61,6 +61,12 @@ namespace pcpp return false; } + if (offsetInLayer < 0) + { + PCPP_LOG_ERROR("Requested offset is negative"); + return false; + } + if (static_cast(offsetInLayer) > m_DataLen) { PCPP_LOG_ERROR("Requested offset is larger than data length"); @@ -102,6 +108,12 @@ namespace pcpp return false; } + if (offsetInLayer < 0) + { + PCPP_LOG_ERROR("Requested offset is negative"); + return false; + } + if (static_cast(offsetInLayer) >= m_DataLen) { PCPP_LOG_ERROR("Requested offset is larger than data length"); From b5203a3185bb1a07421766c755f037347594ce75 Mon Sep 17 00:00:00 2001 From: Dashka Date: Thu, 11 Sep 2025 11:08:38 +0300 Subject: [PATCH 07/14] Fix pre-commit hook failures --- Packet++/src/Layer.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index d549e5fd9a..ec0e80079f 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -84,8 +84,8 @@ namespace pcpp return true; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) - > static_cast(m_Packet->m_RawPacket->getRawDataLen())) + if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) > + static_cast(m_Packet->m_RawPacket->getRawDataLen())) { PCPP_LOG_ERROR("Requested offset is larger than total packet length"); return false; @@ -138,15 +138,17 @@ namespace pcpp return false; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) - + static_cast(numOfBytesToShorten) > static_cast(m_Packet->m_RawPacket->getRawDataLen())) + if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) + + static_cast(numOfBytesToShorten) > + static_cast(m_Packet->m_RawPacket->getRawDataLen())) { PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); return false; } - if (m_NextLayer != nullptr && static_cast(offsetInLayer) - + static_cast(numOfBytesToShorten) > m_NextLayer->m_Data - m_Data) + if (m_NextLayer != nullptr && + static_cast(offsetInLayer) + static_cast(numOfBytesToShorten) > + m_NextLayer->m_Data - m_Data) { PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); return false; From 646610cb3613b2fe6ecb1c4eb6697ff09b5cd5a0 Mon Sep 17 00:00:00 2001 From: Dashka Date: Tue, 7 Oct 2025 09:55:09 +0300 Subject: [PATCH 08/14] Move headerLen calculation and dataPtr bounds check - Calculate headerLen before updating m_DataLen to avoid double subtraction - Move dataPtr validation to beginning of loop and add log message --- Packet++/src/Packet.cpp | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/Packet++/src/Packet.cpp b/Packet++/src/Packet.cpp index ccf5fd7332..a837c18363 100644 --- a/Packet++/src/Packet.cpp +++ b/Packet++/src/Packet.cpp @@ -605,6 +605,12 @@ namespace pcpp bool passedExtendedLayer = false; for (Layer* curLayer = m_FirstLayer; curLayer != nullptr; curLayer = curLayer->getNextLayer()) { + if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) + { + PCPP_LOG_ERROR("Layer data pointer exceeds packet's boundary"); + return false; + } + // set the data ptr curLayer->m_Data = const_cast(dataPtr); @@ -656,6 +662,12 @@ namespace pcpp bool passedExtendedLayer = false; while (curLayer != nullptr) { + if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) + { + PCPP_LOG_ERROR("Layer data pointer exceeds packet's boundary"); + return false; + } + // set the data ptr curLayer->m_Data = const_cast(dataPtr); @@ -663,16 +675,17 @@ namespace pcpp if (curLayer->getPrevLayer() == layer) passedExtendedLayer = true; + size_t headerLen = curLayer->getHeaderLen(); + // change the data length only for layers who come before the shortened layer. For layers who come after, // data length isn't changed if (!passedExtendedLayer) curLayer->m_DataLen -= numOfBytesToShorten; // assuming header length of the layer that requested to be extended hasn't been enlarged yet - size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); + // size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); + headerLen -= (curLayer == layer ? numOfBytesToShorten : 0); dataPtr += headerLen; - if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) - break; curLayer = curLayer->getNextLayer(); } From e9d3792f09026c4f113bb7ad8e82b3cfc61aee31 Mon Sep 17 00:00:00 2001 From: Dashka Date: Tue, 7 Oct 2025 10:33:38 +0300 Subject: [PATCH 09/14] Relocate shortenLayer/extendLayer validity checks from Layer.cpp to BgpLayer.cpp - Add two validation methods in BgpLayer.cpp: isValidShortenRange and isValidExtendRange - Perform validation before each extendLayer/shortenLayer call --- Packet++/header/BgpLayer.h | 4 + Packet++/src/BgpLayer.cpp | 170 +++++++++++++++++++++++++------------ Packet++/src/Layer.cpp | 63 +++----------- 3 files changed, 128 insertions(+), 109 deletions(-) diff --git a/Packet++/header/BgpLayer.h b/Packet++/header/BgpLayer.h index 00ced23bfe..22767e0ad4 100644 --- a/Packet++/header/BgpLayer.h +++ b/Packet++/header/BgpLayer.h @@ -113,6 +113,10 @@ namespace pcpp } void setBgpFields(size_t messageLen = 0); + + bool isValidExtendRange(int offsetInLayer, size_t numOfBytesToExtend) const; + + bool isValidShortenRange(int offsetInLayer, size_t numOfBytesToShorten) const; }; /// @class BgpOpenMessageLayer diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp index 003dfb44ac..e596e3e826 100644 --- a/Packet++/src/BgpLayer.cpp +++ b/Packet++/src/BgpLayer.cpp @@ -2,6 +2,7 @@ #include "Logger.h" #include "BgpLayer.h" +#include "Packet.h" #include "EndianPortable.h" #include "GeneralUtils.h" @@ -117,6 +118,50 @@ namespace pcpp } } + bool BgpLayer::isValidExtendRange(int offsetInLayer, size_t numOfBytesToExtend) const + { + int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); + const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); + + if (m_Data - rawPacketPtr + static_cast(offsetInLayer) > static_cast(rawPacketLen)) + { + PCPP_LOG_ERROR("Requested offset is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && static_cast(offsetInLayer) > m_NextLayer->getData() - m_Data) + { + PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); + return false; + } + + return true; + } + + bool BgpLayer::isValidShortenRange(int offsetInLayer, size_t numOfBytesToShorten) const + { + int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); + const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); + + if (m_Data - rawPacketPtr + static_cast(offsetInLayer) + + static_cast(numOfBytesToShorten) > + static_cast(rawPacketLen)) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && + static_cast(offsetInLayer) + static_cast(numOfBytesToShorten) > + m_NextLayer->getData() - m_Data) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); + return false; + } + + return true; + } + // ~~~~~~~~~~~~~~~~~~~~ // BgpOpenMessageLayer // ~~~~~~~~~~~~~~~~~~~~ @@ -261,29 +306,34 @@ namespace pcpp uint8_t newOptionalParamsData[1500]; size_t newOptionalParamsDataLen = optionalParamsToByteArray(optionalParameters, newOptionalParamsData, 1500); size_t curOptionalParamsDataLen = getOptionalParametersLength(); + int offsetInLayer = sizeof(bgp_open_message); if (newOptionalParamsDataLen > curOptionalParamsDataLen) { - bool res = extendLayer(sizeof(bgp_open_message), newOptionalParamsDataLen - curOptionalParamsDataLen); - if (!res) + size_t numOfBytesToExtend = newOptionalParamsDataLen - curOptionalParamsDataLen; + + if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || + !extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); - return res; + return false; } } else if (newOptionalParamsDataLen < curOptionalParamsDataLen) { - bool res = shortenLayer(sizeof(bgp_open_message), curOptionalParamsDataLen - newOptionalParamsDataLen); - if (!res) + size_t numOfBytesToShorten = curOptionalParamsDataLen - newOptionalParamsDataLen; + + if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || + !shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); - return res; + return false; } } if (newOptionalParamsDataLen > 0) { - memcpy(m_Data + sizeof(bgp_open_message), newOptionalParamsData, newOptionalParamsDataLen); + memcpy(m_Data + offsetInLayer, newOptionalParamsData, newOptionalParamsDataLen); } getOpenMsgHeader()->optionalParameterLength = (uint8_t)newOptionalParamsDataLen; @@ -565,32 +615,34 @@ namespace pcpp uint8_t newWithdrawnRoutesData[1500]; size_t newWithdrawnRoutesDataLen = prefixAndIPDataToByteArray(withdrawnRoutes, newWithdrawnRoutesData, 1500); size_t curWithdrawnRoutesDataLen = getWithdrawnRoutesLength(); + int offsetInLayer = sizeof(bgp_common_header) + sizeof(uint16_t); if (newWithdrawnRoutesDataLen > curWithdrawnRoutesDataLen) { - bool res = extendLayer(sizeof(bgp_common_header) + sizeof(uint16_t), - newWithdrawnRoutesDataLen - curWithdrawnRoutesDataLen); - if (!res) + size_t numOfBytesToExtend = newWithdrawnRoutesDataLen - curWithdrawnRoutesDataLen; + + if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || + !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional withdrawn routes"); - return res; + PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + return false; } } else if (newWithdrawnRoutesDataLen < curWithdrawnRoutesDataLen) { - bool res = shortenLayer(sizeof(bgp_common_header) + sizeof(uint16_t), - curWithdrawnRoutesDataLen - newWithdrawnRoutesDataLen); - if (!res) + size_t numOfBytesToShorten = curWithdrawnRoutesDataLen - newWithdrawnRoutesDataLen; + + if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || + !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the withdrawn routes data"); - return res; + PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + return false; } } if (newWithdrawnRoutesDataLen > 0) { - memcpy(m_Data + sizeof(bgp_common_header) + sizeof(uint16_t), newWithdrawnRoutesData, - newWithdrawnRoutesDataLen); + memcpy(m_Data + offsetInLayer, newWithdrawnRoutesData, newWithdrawnRoutesDataLen); } getBasicHeader()->length = @@ -642,32 +694,34 @@ namespace pcpp size_t newPathAttributesDataLen = pathAttributesToByteArray(pathAttributes, newPathAttributesData, 1500); size_t curPathAttributesDataLen = getPathAttributesLength(); size_t curWithdrawnRoutesDataLen = getWithdrawnRoutesLength(); + int offsetInLayer = sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen; if (newPathAttributesDataLen > curPathAttributesDataLen) { - bool res = extendLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen, - newPathAttributesDataLen - curPathAttributesDataLen); - if (!res) + size_t numOfBytesToExtend = newPathAttributesDataLen - curPathAttributesDataLen; + + if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || + !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional path attributes"); - return res; + PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + return false; } } else if (newPathAttributesDataLen < curPathAttributesDataLen) { - bool res = shortenLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen, - curPathAttributesDataLen - newPathAttributesDataLen); - if (!res) + size_t numOfBytesToShorten = curPathAttributesDataLen - newPathAttributesDataLen; + + if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || + !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the path attributes data"); - return res; + PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + return false; } } if (newPathAttributesDataLen > 0) { - memcpy(m_Data + sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen, - newPathAttributesData, newPathAttributesDataLen); + memcpy(m_Data + offsetInLayer, newPathAttributesData, newPathAttributesDataLen); } getBasicHeader()->length = @@ -741,35 +795,35 @@ namespace pcpp size_t curNlriDataLen = getNetworkLayerReachabilityInfoLength(); size_t curPathAttributesDataLen = getPathAttributesLength(); size_t curWithdrawnRoutesDataLen = getWithdrawnRoutesLength(); + int offsetInLayer = + sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen + curPathAttributesDataLen; if (newNlriDataLen > curNlriDataLen) { - bool res = extendLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen + - curPathAttributesDataLen, - newNlriDataLen - curNlriDataLen); - if (!res) + size_t numOfBytesToExtend = newNlriDataLen - curNlriDataLen; + + if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || + !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional NLRI data"); - return res; + PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + return false; } } else if (newNlriDataLen < curNlriDataLen) { - bool res = shortenLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen + - curPathAttributesDataLen, - curNlriDataLen - newNlriDataLen); - if (!res) + size_t numOfBytesToShorten = curNlriDataLen - newNlriDataLen; + + if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || + !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the NLRI data"); - return res; + PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + return false; } } if (newNlriDataLen > 0) { - memcpy(m_Data + sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen + - curPathAttributesDataLen, - newNlriData, newNlriDataLen); + memcpy(m_Data + offsetInLayer, newNlriData, newNlriDataLen); } getBasicHeader()->length = htobe16(be16toh(getBasicHeader()->length) + newNlriDataLen - curNlriDataLen); @@ -866,30 +920,34 @@ namespace pcpp } size_t curNotificationDataLen = getNotificationDataLen(); + int offsetInLayer = sizeof(bgp_notification_message); if (newNotificationDataLen > curNotificationDataLen) { - bool res = extendLayer(sizeof(bgp_notification_message), newNotificationDataLen - curNotificationDataLen); - if (!res) + size_t numOfBytesToExtend = newNotificationDataLen - curNotificationDataLen; + + if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || + !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP notification layer to include the additional notification data"); - return res; + PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + return false; } } else if (newNotificationDataLen < curNotificationDataLen) { - bool res = shortenLayer(sizeof(bgp_notification_message), curNotificationDataLen - newNotificationDataLen); - if (!res) + size_t numOfBytesToShorten = curNotificationDataLen - newNotificationDataLen; + + if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || + !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR( - "Couldn't shorten BGP notification layer to set the right size of the notification data"); - return res; + PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + return false; } } if (newNotificationDataLen > 0) { - memcpy(m_Data + sizeof(bgp_notification_message), newNotificationData, newNotificationDataLen); + memcpy(m_Data + offsetInLayer, newNotificationData, newNotificationDataLen); } getNotificationMsgHeader()->length = htobe16(sizeof(bgp_notification_message) + newNotificationDataLen); diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index ec0e80079f..8e049b494a 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -61,20 +61,13 @@ namespace pcpp return false; } - if (offsetInLayer < 0) - { - PCPP_LOG_ERROR("Requested offset is negative"); - return false; - } - - if (static_cast(offsetInLayer) > m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } - if (m_Packet == nullptr) { + if (static_cast(offsetInLayer) > m_DataLen) + { + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } uint8_t* newData = new uint8_t[m_DataLen + numOfBytesToExtend]; memcpy(newData, m_Data, offsetInLayer); memcpy(newData + offsetInLayer + numOfBytesToExtend, m_Data + offsetInLayer, m_DataLen - offsetInLayer); @@ -84,19 +77,6 @@ namespace pcpp return true; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) > - static_cast(m_Packet->m_RawPacket->getRawDataLen())) - { - PCPP_LOG_ERROR("Requested offset is larger than total packet length"); - return false; - } - - if (m_NextLayer != nullptr && static_cast(offsetInLayer) > m_NextLayer->m_Data - m_Data) - { - PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); - return false; - } - return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend); } @@ -108,20 +88,13 @@ namespace pcpp return false; } - if (offsetInLayer < 0) - { - PCPP_LOG_ERROR("Requested offset is negative"); - return false; - } - - if (static_cast(offsetInLayer) >= m_DataLen) - { - PCPP_LOG_ERROR("Requested offset is larger than data length"); - return false; - } - if (m_Packet == nullptr) { + if (static_cast(offsetInLayer) >= m_DataLen) + { + PCPP_LOG_ERROR("Requested offset is larger than data length"); + return false; + } uint8_t* newData = new uint8_t[m_DataLen - numOfBytesToShorten]; memcpy(newData, m_Data, offsetInLayer); memcpy(newData + offsetInLayer, m_Data + offsetInLayer + numOfBytesToShorten, @@ -138,22 +111,6 @@ namespace pcpp return false; } - if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast(offsetInLayer) + - static_cast(numOfBytesToShorten) > - static_cast(m_Packet->m_RawPacket->getRawDataLen())) - { - PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); - return false; - } - - if (m_NextLayer != nullptr && - static_cast(offsetInLayer) + static_cast(numOfBytesToShorten) > - m_NextLayer->m_Data - m_Data) - { - PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); - return false; - } - return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten); } From 757fe2e33ede3337471ed3d4dff2e1adca39c657 Mon Sep 17 00:00:00 2001 From: Dashka Date: Tue, 7 Oct 2025 11:55:14 +0300 Subject: [PATCH 10/14] Fix log messages in BgpLayer.cpp --- Packet++/src/BgpLayer.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp index e596e3e826..268326743c 100644 --- a/Packet++/src/BgpLayer.cpp +++ b/Packet++/src/BgpLayer.cpp @@ -624,7 +624,7 @@ namespace pcpp if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional withdrawn routes"); return false; } } @@ -635,7 +635,7 @@ namespace pcpp if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the withdrawn routes data"); return false; } } @@ -703,7 +703,7 @@ namespace pcpp if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional path attributes"); return false; } } @@ -714,7 +714,7 @@ namespace pcpp if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the path attributes data"); return false; } } @@ -805,7 +805,7 @@ namespace pcpp if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional NLRI data"); return false; } } @@ -816,7 +816,7 @@ namespace pcpp if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the NLRI data"); return false; } } @@ -929,7 +929,7 @@ namespace pcpp if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || !extendLayer(offsetInLayer, numOfBytesToExtend)) { - PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); + PCPP_LOG_ERROR("Couldn't extend BGP notification layer to include the additional notification data"); return false; } } @@ -940,7 +940,7 @@ namespace pcpp if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); + PCPP_LOG_ERROR("Couldn't shorten BGP notification layer to set the right size of the notification data"); return false; } } From ad4e2b6ca7763d42ff6f92d901617716e599e769 Mon Sep 17 00:00:00 2001 From: Dashka Date: Tue, 7 Oct 2025 17:35:11 +0300 Subject: [PATCH 11/14] Fix formatting issues --- Packet++/src/BgpLayer.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp index 268326743c..6485ad3d99 100644 --- a/Packet++/src/BgpLayer.cpp +++ b/Packet++/src/BgpLayer.cpp @@ -940,7 +940,8 @@ namespace pcpp if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || !shortenLayer(offsetInLayer, numOfBytesToShorten)) { - PCPP_LOG_ERROR("Couldn't shorten BGP notification layer to set the right size of the notification data"); + PCPP_LOG_ERROR( + "Couldn't shorten BGP notification layer to set the right size of the notification data"); return false; } } From 1b556ab4fdcdc31e00fa3bf07daa7e85cd81c224 Mon Sep 17 00:00:00 2001 From: Dashka Date: Thu, 9 Oct 2025 19:49:18 +0300 Subject: [PATCH 12/14] Remove commented-out line --- Packet++/src/Packet.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/Packet++/src/Packet.cpp b/Packet++/src/Packet.cpp index a837c18363..a12cf6c2f4 100644 --- a/Packet++/src/Packet.cpp +++ b/Packet++/src/Packet.cpp @@ -683,7 +683,6 @@ namespace pcpp curLayer->m_DataLen -= numOfBytesToShorten; // assuming header length of the layer that requested to be extended hasn't been enlarged yet - // size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); headerLen -= (curLayer == layer ? numOfBytesToShorten : 0); dataPtr += headerLen; curLayer = curLayer->getNextLayer(); From 3e7231922ce874cbecbd07dbf708059e315af2a4 Mon Sep 17 00:00:00 2001 From: Dashka Date: Thu, 9 Oct 2025 19:50:14 +0300 Subject: [PATCH 13/14] Move number of bytes to shorten check before m_Packet == nullptr check --- Packet++/src/Layer.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp index 8e049b494a..171855907c 100644 --- a/Packet++/src/Layer.cpp +++ b/Packet++/src/Layer.cpp @@ -88,6 +88,12 @@ namespace pcpp return false; } + if (static_cast(offsetInLayer) + numOfBytesToShorten > m_DataLen) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length"); + return false; + } + if (m_Packet == nullptr) { if (static_cast(offsetInLayer) >= m_DataLen) @@ -105,12 +111,6 @@ namespace pcpp return true; } - if (static_cast(offsetInLayer) + numOfBytesToShorten > m_DataLen) - { - PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length"); - return false; - } - return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten); } From 0f3fc26125e4ce33e2fad7c0f10ed6e377c28a99 Mon Sep 17 00:00:00 2001 From: Dashka Date: Thu, 9 Oct 2025 19:52:59 +0300 Subject: [PATCH 14/14] Move shortenLayer/extendLayer validity checks to BgpLayer::extendLayer and BgpLayer::shortenLayer Add m_Packet != nullptr check to prevent nullptr dereference --- Packet++/header/BgpLayer.h | 4 +- Packet++/src/BgpLayer.cpp | 96 ++++++++++++++++++-------------------- 2 files changed, 48 insertions(+), 52 deletions(-) diff --git a/Packet++/header/BgpLayer.h b/Packet++/header/BgpLayer.h index 22767e0ad4..fceb02142b 100644 --- a/Packet++/header/BgpLayer.h +++ b/Packet++/header/BgpLayer.h @@ -114,9 +114,9 @@ namespace pcpp void setBgpFields(size_t messageLen = 0); - bool isValidExtendRange(int offsetInLayer, size_t numOfBytesToExtend) const; + bool extendLayer(int offsetInLayer, size_t numOfBytesToExtend) override; - bool isValidShortenRange(int offsetInLayer, size_t numOfBytesToShorten) const; + bool shortenLayer(int offsetInLayer, size_t numOfBytesToShorten) override; }; /// @class BgpOpenMessageLayer diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp index 6485ad3d99..4e5098ccec 100644 --- a/Packet++/src/BgpLayer.cpp +++ b/Packet++/src/BgpLayer.cpp @@ -118,48 +118,54 @@ namespace pcpp } } - bool BgpLayer::isValidExtendRange(int offsetInLayer, size_t numOfBytesToExtend) const + bool BgpLayer::extendLayer(int offsetInLayer, size_t numOfBytesToExtend) { - int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); - const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); - - if (m_Data - rawPacketPtr + static_cast(offsetInLayer) > static_cast(rawPacketLen)) + if (m_Packet != nullptr) { - PCPP_LOG_ERROR("Requested offset is larger than total packet length"); - return false; - } + int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); + const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); - if (m_NextLayer != nullptr && static_cast(offsetInLayer) > m_NextLayer->getData() - m_Data) - { - PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); - return false; + if (m_Data - rawPacketPtr + static_cast(offsetInLayer) > static_cast(rawPacketLen)) + { + PCPP_LOG_ERROR("Requested offset is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && static_cast(offsetInLayer) > m_NextLayer->getData() - m_Data) + { + PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); + return false; + } } - return true; + return Layer::extendLayer(offsetInLayer, numOfBytesToExtend); } - bool BgpLayer::isValidShortenRange(int offsetInLayer, size_t numOfBytesToShorten) const + bool BgpLayer::shortenLayer(int offsetInLayer, size_t numOfBytesToShorten) { - int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); - const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); - - if (m_Data - rawPacketPtr + static_cast(offsetInLayer) + - static_cast(numOfBytesToShorten) > - static_cast(rawPacketLen)) + if (m_Packet != nullptr) { - PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); - return false; - } + int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); + const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); - if (m_NextLayer != nullptr && - static_cast(offsetInLayer) + static_cast(numOfBytesToShorten) > - m_NextLayer->getData() - m_Data) - { - PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); - return false; + if (m_Data - rawPacketPtr + static_cast(offsetInLayer) + + static_cast(numOfBytesToShorten) > + static_cast(rawPacketLen)) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); + return false; + } + + if (m_NextLayer != nullptr && + static_cast(offsetInLayer) + static_cast(numOfBytesToShorten) > + m_NextLayer->getData() - m_Data) + { + PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); + return false; + } } - return true; + return Layer::shortenLayer(offsetInLayer, numOfBytesToShorten); } // ~~~~~~~~~~~~~~~~~~~~ @@ -312,8 +318,7 @@ namespace pcpp { size_t numOfBytesToExtend = newOptionalParamsDataLen - curOptionalParamsDataLen; - if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || - !extendLayer(offsetInLayer, numOfBytesToExtend)) + if (!extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP open layer to include the additional optional parameters"); return false; @@ -323,8 +328,7 @@ namespace pcpp { size_t numOfBytesToShorten = curOptionalParamsDataLen - newOptionalParamsDataLen; - if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || - !shortenLayer(offsetInLayer, numOfBytesToShorten)) + if (!shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR("Couldn't shorten BGP open layer to set the right size of the optional parameters data"); return false; @@ -621,8 +625,7 @@ namespace pcpp { size_t numOfBytesToExtend = newWithdrawnRoutesDataLen - curWithdrawnRoutesDataLen; - if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || - !extendLayer(offsetInLayer, numOfBytesToExtend)) + if (!extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional withdrawn routes"); return false; @@ -632,8 +635,7 @@ namespace pcpp { size_t numOfBytesToShorten = curWithdrawnRoutesDataLen - newWithdrawnRoutesDataLen; - if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || - !shortenLayer(offsetInLayer, numOfBytesToShorten)) + if (!shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the withdrawn routes data"); return false; @@ -700,8 +702,7 @@ namespace pcpp { size_t numOfBytesToExtend = newPathAttributesDataLen - curPathAttributesDataLen; - if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || - !extendLayer(offsetInLayer, numOfBytesToExtend)) + if (!extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional path attributes"); return false; @@ -711,8 +712,7 @@ namespace pcpp { size_t numOfBytesToShorten = curPathAttributesDataLen - newPathAttributesDataLen; - if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || - !shortenLayer(offsetInLayer, numOfBytesToShorten)) + if (!shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the path attributes data"); return false; @@ -802,8 +802,7 @@ namespace pcpp { size_t numOfBytesToExtend = newNlriDataLen - curNlriDataLen; - if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || - !extendLayer(offsetInLayer, numOfBytesToExtend)) + if (!extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional NLRI data"); return false; @@ -813,8 +812,7 @@ namespace pcpp { size_t numOfBytesToShorten = curNlriDataLen - newNlriDataLen; - if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || - !shortenLayer(offsetInLayer, numOfBytesToShorten)) + if (!shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR("Couldn't shorten BGP update layer to set the right size of the NLRI data"); return false; @@ -926,8 +924,7 @@ namespace pcpp { size_t numOfBytesToExtend = newNotificationDataLen - curNotificationDataLen; - if (!isValidExtendRange(offsetInLayer, numOfBytesToExtend) || - !extendLayer(offsetInLayer, numOfBytesToExtend)) + if (!extendLayer(offsetInLayer, numOfBytesToExtend)) { PCPP_LOG_ERROR("Couldn't extend BGP notification layer to include the additional notification data"); return false; @@ -937,8 +934,7 @@ namespace pcpp { size_t numOfBytesToShorten = curNotificationDataLen - newNotificationDataLen; - if (!isValidShortenRange(offsetInLayer, numOfBytesToShorten) || - !shortenLayer(offsetInLayer, numOfBytesToShorten)) + if (!shortenLayer(offsetInLayer, numOfBytesToShorten)) { PCPP_LOG_ERROR( "Couldn't shorten BGP notification layer to set the right size of the notification data");