Ensure that payload pointer is appropriately aligned

royhills · royhills · commit 30e47af5800f · 2007-01-14T19:05:39.000Z
to avoid bus error on RISC CPUs like SPARC.
Update copyright dates.
Increment version number due to display_packet() change.


git-svn-id: svn+ssh://svn.nta-monitor.com/trunk/opensource/ike-scan@9884 062a1500-4a13-0410-a63b-ee65f32af78f
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,10 @@
 $Id$
 
+2007-01-14 Roy Hills <Roy.Hills@nta-monitor.com>
+
+	* ike-scan.c: Refactored display_packet() to ensure that payload
+	  is correctly aligned.
+
 2007-01-13 Roy Hills <Roy.Hills@nta-monitor.com>
 
 	* check-decode: New tests for pkt-main-natt-response,
diff --git a/check-hash.c b/check-hash.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
diff --git a/check-sizes.c b/check-sizes.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
diff --git a/configure.ac b/configure.ac
@@ -1,7 +1,7 @@
 dnl $Id$
 dnl Process this file with autoconf to produce a configure script.
 
-AC_INIT([ike-scan],[1.8.7],[ike-scan@nta-monitor.com])
+AC_INIT([ike-scan],[1.8.8],[ike-scan@nta-monitor.com])
 AC_PREREQ(2.59)
 AC_REVISION($Revision$)
 AC_CONFIG_SRCDIR([ike-scan.c])
diff --git a/error.c b/error.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
diff --git a/hash_functions.h b/hash_functions.h
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
diff --git a/ike-backoff-patterns b/ike-backoff-patterns
@@ -1,4 +1,4 @@
-# The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+# The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
 # NTA Monitor Ltd.
 #
 # This program is free software; you can redistribute it and/or
diff --git a/ike-scan.c b/ike-scan.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
@@ -400,7 +400,7 @@ main(int argc, char *argv[]) {
             break;
          case 'V':	/* --version */
             fprintf(stderr, "%s\n\n", PACKAGE_STRING);
-            fprintf(stderr, "Copyright (C) 2003-2005 Roy Hills, NTA Monitor Ltd.\n");
+            fprintf(stderr, "Copyright (C) 2003-2007 Roy Hills, NTA Monitor Ltd.\n");
             fprintf(stderr, "ike-scan comes with NO WARRANTY to the extent permitted by law.\n");
             fprintf(stderr, "You may redistribute copies of ike-scan under the terms of the GNU\n");
             fprintf(stderr, "General Public License.\n");
@@ -1531,6 +1531,7 @@ display_packet(int n, unsigned char *packet_in, host_entry *he,
  *	Process ISAKMP header.
  *	If this returns zero length left, indicating some sort of problem, then
  *	we report a short or malformed packet and return.
+ *	If the processing is successful, pkt_ptr points to the next payload.
  */
    bytes_left = n;	/* Set remaining length to total packet len */
    if (psk_crack_flag)
@@ -1545,6 +1546,8 @@ display_packet(int n, unsigned char *packet_in, host_entry *he,
    }
 /*
  *	Determine the overall type of the packet from the first payload type.
+ *	We assume that pkt_ptr is suitably aligned because the ISAKMP header
+ *	has a fixed length that is divisible by 4.
  */
    switch (next) {
       case ISAKMP_NEXT_SA:	/* SA */
@@ -1584,58 +1587,43 @@ display_packet(int n, unsigned char *packet_in, host_entry *he,
  *	Process any other interesting payloads if quiet is not in effect.
  */
    if (!quiet) {
+      unsigned char *payload_ptr;
+
       while (bytes_left) {
-         if (next == ISAKMP_NEXT_VID) {
-            msg2=msg;
-            cp = process_vid(pkt_ptr, bytes_left, vidlist);
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free VID payload message */
-         } else if (next == ISAKMP_NEXT_ID ) {
-            if (psk_crack_flag)
-               add_psk_crack_payload(pkt_ptr, next, 'R');
-            msg2=msg;
-            cp = process_id(pkt_ptr, bytes_left);
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free ID payload message */
-         } else if (next == ISAKMP_NEXT_CERT || next == ISAKMP_NEXT_CR) {
-            msg2=msg;
-            cp = process_cert(pkt_ptr, bytes_left, next);
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free Cert payload message */
-         } else if (next == ISAKMP_NEXT_D) {
-            msg2=msg;
-            cp = process_delete(pkt_ptr, bytes_left);
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free payload message */
-         } else if (next == ISAKMP_NEXT_N) {
-            msg2=msg;
-            cp = process_notification(pkt_ptr, bytes_left);
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free payload message */
-         } else {
-            if (psk_crack_flag)
-               add_psk_crack_payload(pkt_ptr, next, 'R');
-            msg2=msg;
-            if (bytes_left >= sizeof(struct isakmp_generic)) {
-                struct isakmp_generic *hdr = (struct isakmp_generic *) pkt_ptr;
-                cp=make_message("%s(%u bytes)", id_to_name(next, payload_map),
-                                ntohs(hdr->isag_length) -
-                                sizeof(struct isakmp_generic));
-            } else {
-                cp=make_message("%s)", id_to_name(next, payload_map));
-            }
-            msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
-            free(msg2);	/* Free old message */
-            free(cp);	/* Free generic payload message */
-         }
+         payload_ptr = clone_payload(pkt_ptr, bytes_left);
+         msg2=msg;
+         switch (next) {
+            case ISAKMP_NEXT_VID:	/* Vendor ID */
+               cp = process_vid(payload_ptr, bytes_left, vidlist);
+               break;
+            case ISAKMP_NEXT_ID:	/* ID */
+               if (psk_crack_flag)
+                  add_psk_crack_payload(payload_ptr, next, 'R');
+               cp = process_id(payload_ptr, bytes_left);
+               break;
+            case ISAKMP_NEXT_CERT:	/* Certificate */
+            case ISAKMP_NEXT_CR:	/* Certificate Request */
+               cp = process_cert(payload_ptr, bytes_left, next);
+               break;
+            case ISAKMP_NEXT_D:		/* Delete */
+               cp = process_delete(payload_ptr, bytes_left);
+               break;
+            case ISAKMP_NEXT_N:		/* Notification */
+               cp = process_notification(payload_ptr, bytes_left);
+               break;
+            default:			/* Something else */
+               if (psk_crack_flag)
+                  add_psk_crack_payload(payload_ptr, next, 'R');
+               cp = process_generic(payload_ptr, bytes_left, next);
+               break;
+         } /* End Switch */
+         free(payload_ptr);
+         msg=make_message("%s%s%s", msg2, multiline?"\n\t":" ", cp);
+         free(msg2);	/* Free old message */
+         free(cp);	/* Free payload message */
          pkt_ptr = skip_payload(pkt_ptr, &bytes_left, &next);
-      }
-   }
+      } /* End While */
+   } /* End if (!quiet) */
 /*
  *	Print the message.
  */
diff --git a/ike-scan.h b/ike-scan.h
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
@@ -420,6 +420,7 @@ char *process_id(unsigned char *, size_t);
 char *process_cert(unsigned char *, size_t, unsigned);
 char *process_delete(unsigned char *, size_t);
 char *process_notification(unsigned char *, size_t);
+char *process_generic(unsigned char *, size_t, unsigned);
 unsigned char *make_transform(size_t *, unsigned, unsigned, unsigned,
                               unsigned char *, size_t);
 unsigned char* add_transform(int, size_t *, unsigned, unsigned char *, size_t);
@@ -431,6 +432,7 @@ unsigned char *add_isakmp_payload(unsigned char *, size_t, unsigned char **);
 void print_payload(unsigned char *cp, unsigned payload, int);
 void add_psk_crack_payload(unsigned char *cp, unsigned, int);
 void print_psk_crack_values(const char *);
+unsigned char *clone_payload(const unsigned char *, size_t);
 char *make_message(const char *, ...);
 char *numstr(unsigned);
 char *printable(const unsigned char*, size_t);
diff --git a/ike-vendor-ids b/ike-vendor-ids
@@ -1,4 +1,4 @@
-# The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+# The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
 # NTA Monitor Ltd.
 #
 # This program is free software; you can redistribute it and/or
diff --git a/isakmp.c b/isakmp.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
@@ -1458,21 +1458,36 @@ make_cr(size_t *length, unsigned next, unsigned char *cr_data,
  */
 unsigned char *
 skip_payload(unsigned char *cp, size_t *len, unsigned *next) {
-   struct isakmp_generic *hdr = (struct isakmp_generic *) cp;
+   struct isakmp_generic hdr;
+
 /*
- *	Signal no more payloads by setting length to zero if:
+ *	Signal no more payloads by setting length to zero, next
+ *	payload to none and returning NULL if the packet length is
+ *	less that the ISAKMP generic header size.
+ */
+   if (*len < sizeof(struct isakmp_generic)) {
+      *len=0;
+      *next=ISAKMP_NEXT_NONE;
+      return NULL;
+   }
+/*
+ *	Fill in the generic header from the packet.  We must do this
+ *	by copying rather than overlaying because we cannot be sure
+ *	that "cp" is suitably aligned.
+ */
+   memcpy(&hdr, cp, sizeof(hdr));
+/*
+ *	Signal no more payloads if:
  *
- *	The packet length is less than the ISAKMP generic header size; or
  *	The payload length is greater than the packet length; or
  *	The payload length is less than the size of the generic header; or
  *	There is no next payload.
  *
  *	Also set *next to none and return null.
  */
-   if (*len < sizeof(struct isakmp_generic) ||
-       ntohs(hdr->isag_length) >= *len ||
-       ntohs(hdr->isag_length) < sizeof(struct isakmp_generic) ||
-       hdr->isag_np == ISAKMP_NEXT_NONE) {
+   if (ntohs(hdr.isag_length) >= *len ||
+       ntohs(hdr.isag_length) < sizeof(struct isakmp_generic) ||
+       hdr.isag_np == ISAKMP_NEXT_NONE) {
       *len=0;
       *next=ISAKMP_NEXT_NONE;
       return NULL;
@@ -1481,9 +1496,9 @@ skip_payload(unsigned char *cp, size_t *len, unsigned *next) {
  *	There is another payload after this one, so adjust length and
  *	return pointer to next payload.
  */
-   *len = *len - ntohs(hdr->isag_length);
-   *next = hdr->isag_np;
-   return cp + ntohs(hdr->isag_length);
+   *len = *len - ntohs(hdr.isag_length);
+   *next = hdr.isag_np;
+   return cp + ntohs(hdr.isag_length);
 }
 
 /*
@@ -2379,6 +2394,40 @@ process_delete(unsigned char *cp, size_t len) {
    return msg;
 }
 
+/*
+ *	process_generic -- Process Generic ISAKMP Payload
+ *
+ *	Inputs:
+ *
+ *	cp	Pointer to start of Delete payload
+ *	len	Packet length remaining
+ *
+ *	Returns:
+ *
+ *	Pointer to payload description string.
+ *
+ *	The description string pointer returned points to malloc'ed storage
+ *	which should be free'ed by the caller when it's no longer needed.
+ */
+char *
+process_generic(unsigned char *cp, size_t len, unsigned next) {
+   struct isakmp_generic *hdr = (struct isakmp_generic *) cp;
+   char *msg;
+
+   if (len < sizeof(struct isakmp_generic) ||
+        ntohs(hdr->isag_length) < sizeof(struct isakmp_generic)) {
+      msg = make_message("%s (packet too short to decode)",
+                          id_to_name(next, payload_map));
+      return msg;
+   }
+
+   msg=make_message("%s(%u bytes)", id_to_name(next, payload_map),
+                    ntohs(hdr->isag_length) -
+                    sizeof(struct isakmp_generic));
+
+   return msg;
+}
+
 /*
  *	add_isakmp_payload -- Add an ISAKMP payload to the current packet
  *
@@ -2627,6 +2676,59 @@ print_psk_crack_values(const char *psk_crack_file) {
    free(hexdata);
 }
 
+/*
+ *	clone_payload -- Clone the ISAKMP payload
+ *
+ *	Inputs:
+ *
+ *	pkt_ptr		Pointer to the payload to clone
+ *	bytes_left	Number of bytes remaining in the packet
+ *
+ *	Returns:
+ *
+ *	Pointer to the cloned payload or NULL if no payload.
+ *
+ *	This function clones the ISAKMP payload starting at pkt_ptr, with
+ *	a maximum size of bytes_left.  It copies the payload to a newly
+ *	allocated memory block to ensure that it is suitably aligned for
+ *	those CPUs that have alignment restrictions.
+ *
+ *	The return value points to Malloc'ed memory, which should be
+ *	free'ed when it is no longer required.
+ */
+unsigned char *
+clone_payload(const unsigned char *pkt_ptr, size_t bytes_left) {
+   struct isakmp_generic hdr;
+   unsigned char *clone_ptr;
+   size_t payload_len;
+/*
+ *	Ensure that there is sufficient data to fill the generic
+ *	header.
+ */
+   if (bytes_left < sizeof(struct isakmp_generic)) {
+      return NULL;
+   }
+/*
+ *	Fill in the generic header from the packet.  We must do this
+ *	by copying rather than overlaying because we cannot be sure
+ *	that "pkt_ptr" is suitably aligned.
+ */
+   memcpy(&hdr, pkt_ptr, sizeof(hdr));
+/*
+ *	Determine the length of the payload.
+ */
+   payload_len = ntohs(hdr.isag_length);
+   if (payload_len > bytes_left)
+      payload_len = bytes_left;
+/*
+ *	Allocate memory and copy payload.
+ */
+   clone_ptr = Malloc(payload_len);
+   memcpy(clone_ptr, pkt_ptr, payload_len);
+
+   return clone_ptr;
+}
+
 void
 isakmp_use_rcsid(void) {
    fprintf(stderr, "%s\n", rcsid);	/* Use rcsid to stop compiler optimising away */
diff --git a/isakmp.h b/isakmp.h
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
diff --git a/psk-crack.c b/psk-crack.c
@@ -1,5 +1,5 @@
 /*
- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
  * NTA Monitor Ltd.
  *
  * This program is free software; you can redistribute it and/or
@@ -100,7 +100,7 @@ main (int argc, char *argv[]) {
             break;
          case 'V':      /* --version */
             fprintf(stderr, "psk-crack (%s)\n\n", PACKAGE_STRING);
-            fprintf(stderr, "Copyright (C) 2003-2005 Roy Hills, NTA Monitor Ltd.\n");
+            fprintf(stderr, "Copyright (C) 2003-2007 Roy Hills, NTA Monitor Ltd.\n");
             fprintf(stderr, "ike-scan comes with NO WARRANTY to the extent permitted by law.\n");
             fprintf(stderr, "You may redistribute copies of ike-scan under the terms of the GNU\n");
             fprintf(stderr, "General Public License.\n");
diff --git a/psk-crack.h b/psk-crack.h
diff --git a/utils.c b/utils.c
diff --git a/wrappers.c b/wrappers.c

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,`
	`2`	`+ * The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,`
`3`	`3`	`* NTA Monitor Ltd.`
`4`	`4`	`*`
`5`	`5`	`* This program is free software; you can redistribute it and/or`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,`
	`1`	`+# The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,`
`2`	`2`	`# NTA Monitor Ltd.`
`3`	`3`	`#`
`4`	`4`	`# This program is free software; you can redistribute it and/or`