Skip to content

Commit

Permalink
Clean up forge_icmp_v6_packet
Browse files Browse the repository at this point in the history 
Function is still a mess but at least no memory
leaks and static analyzer warnings anymore.

(cherry picked from commit 875d438)
  • Loading branch information
@ArnoStiefvater
ArnoStiefvater authored and mergify-bot committed Jul 9, 2021
1 parent f925aa2 commit 38859e5
Showing 1 changed file with 43 additions and 39 deletions.
82 changes: 43 additions & 39 deletions nasl/nasl_packet_forgery_v6.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1766,7 +1766,6 @@ forge_icmp_v6_packet (lex_ctxt *lexic)

bcopy (ip6, ip6_icmp, ip6_sz);
p = (char *) (pkt + ip6_sz);

icmp = (struct icmp6_hdr *) p;

icmp->icmp6_code = get_int_var_by_name (lexic, "icmp_code", 0);
Expand All @@ -1786,66 +1785,68 @@ forge_icmp_v6_packet (lex_ctxt *lexic)
break;
case ND_ROUTER_SOLICIT:
{
if (data != NULL)
bcopy (data, &(p[8]), len);
routersolicit = g_malloc0 (sizeof (struct nd_router_solicit));
pkt =
g_realloc (pkt, ip6_sz + sizeof (struct nd_router_solicit) + len);
ip6_icmp = (struct ip6_hdr *) pkt;
p = (char *) (pkt + ip6_sz);
struct icmp6_hdr *rs = &routersolicit->nd_rs_hdr;
// Update ip6_icmp because it gets used again below
ip6_icmp = (struct ip6_hdr *) pkt;
routersolicit = (struct nd_router_solicit *) p;
rs->icmp6_type = icmp->icmp6_type;
rs->icmp6_code = icmp->icmp6_code;
rs->icmp6_cksum = icmp->icmp6_cksum;
((struct icmp6_hdr *) routersolicit)->icmp6_type = icmp->icmp6_type;
((struct icmp6_hdr *) routersolicit)->icmp6_code = icmp->icmp6_code;
((struct icmp6_hdr *) routersolicit)->icmp6_cksum =
icmp->icmp6_cksum;
size = ip6_sz + sizeof (struct nd_router_solicit) + len;
sz = 4; /*type-1 byte, code-1byte, cksum-2bytes */
}
break;
case ND_ROUTER_ADVERT:
{
if (data != NULL)
bcopy (data, &(p[8]), len);
routeradvert = g_malloc0 (sizeof (struct nd_router_advert));
/*do we need lifetime?? Not taking lifetime?? */
pkt = g_realloc (
pkt,
ip6_sz + sizeof (struct nd_router_advert) - 8
+ len); /*not taking lifetime(8 bytes) into consideration */
ip6_icmp = (struct ip6_hdr *) pkt;
pkt =
g_realloc (pkt, ip6_sz + sizeof (struct nd_router_advert) + len);
p = (char *) (pkt + ip6_sz);
struct icmp6_hdr *ra = &routeradvert->nd_ra_hdr;
// Update ip6_icmp because it gets used again below
ip6_icmp = (struct ip6_hdr *) pkt;
// Let routeradvert point to routeradvert location in pkt
routeradvert = (struct nd_router_advert *) p;
ra->icmp6_type = icmp->icmp6_type;
ra->icmp6_code = icmp->icmp6_code;
ra->icmp6_cksum = icmp->icmp6_cksum;
// Set icmp6 header members
((struct icmp6_hdr *) routeradvert)->icmp6_type = icmp->icmp6_type;
((struct icmp6_hdr *) routeradvert)->icmp6_code = icmp->icmp6_code;
((struct icmp6_hdr *) routeradvert)->icmp6_cksum =
icmp->icmp6_cksum;
routeradvert->nd_ra_reachable =
get_int_var_by_name (lexic, "reachable_time", 0);
routeradvert->nd_ra_retransmit =
get_int_var_by_name (lexic, "retransmit_timer", 0);
routeradvert->nd_ra_curhoplimit = ip6_icmp->ip6_hlim;
routeradvert->nd_ra_flags_reserved =
get_int_var_by_name (lexic, "flags", 0);
size = ip6_sz + sizeof (struct nd_router_advert) - 8
+ len; /*not taking lifetime(8 bytes) into consideration */
sz = 5; /*type-1 byte, code-1byte, cksum-2bytes, current
hoplimit-1byte */
size = ip6_sz + sizeof (struct nd_router_advert) + len;
sz = 5; /*type-1 byte, code-1byte, cksum-2bytes, current
hoplimit-1byte */
}
break;
case ND_NEIGHBOR_SOLICIT:
{
neighborsolicit = g_malloc0 (sizeof (struct nd_neighbor_solicit));
// Make room for nd_neighbor_solicit.nd_ns_target in packet
pkt = g_realloc (pkt, ip6_sz + sizeof (struct nd_neighbor_solicit)
+ len);
ip6_icmp = (struct ip6_hdr *) pkt;
// Let p point to the start of nd_neighbor_solicit
p = (char *) (pkt + ip6_sz);
struct icmp6_hdr *ns = &neighborsolicit->nd_ns_hdr;
neighborsolicit = (struct nd_neighbor_solicit *) p;
// Update ip6_icmp because it gets used again below
ip6_icmp = (struct ip6_hdr *) pkt;
// Fill in user date if provided
if (data != NULL)
bcopy (data, &(p[24]), len);
ns->icmp6_type = icmp->icmp6_type;
ns->icmp6_code = icmp->icmp6_code;
ns->icmp6_cksum = icmp->icmp6_cksum;
memmove (&(p[8 + 16]), data, len);
// Let neighborsolicit point to nd_neighbor_solicit location in pkt
neighborsolicit = (struct nd_neighbor_solicit *) p;
// Set icmp6 header members
((struct icmp6_hdr *) neighborsolicit)->icmp6_type =
icmp->icmp6_type;
((struct icmp6_hdr *) neighborsolicit)->icmp6_code =
icmp->icmp6_code;
((struct icmp6_hdr *) neighborsolicit)->icmp6_cksum =
icmp->icmp6_cksum;
// Set nd_ns_target
memcpy (&neighborsolicit->nd_ns_target, &ip6_icmp->ip6_dst,
sizeof (struct in6_addr)); /*dst ip should be link local */
size = ip6_sz + sizeof (struct nd_neighbor_solicit) + len;
Expand All @@ -1854,16 +1855,19 @@ forge_icmp_v6_packet (lex_ctxt *lexic)
break;
case ND_NEIGHBOR_ADVERT:
{
neighboradvert = g_malloc0 (sizeof (struct nd_neighbor_advert));
pkt = g_realloc (pkt,
ip6_sz + sizeof (struct nd_neighbor_advert) + len);
// Update ip6_icmp because it gets used again below
ip6_icmp = (struct ip6_hdr *) pkt;
p = (char *) (pkt + 40);
struct icmp6_hdr *na = &neighboradvert->nd_na_hdr;
neighboradvert = (struct nd_neighbor_advert *) p;
na->icmp6_type = icmp->icmp6_type;
na->icmp6_code = icmp->icmp6_code;
na->icmp6_cksum = icmp->icmp6_cksum;
// Set icmp6 header members
((struct icmp6_hdr *) neighboradvert)->icmp6_type =
icmp->icmp6_type;
((struct icmp6_hdr *) neighboradvert)->icmp6_code =
icmp->icmp6_code;
((struct icmp6_hdr *) neighboradvert)->icmp6_cksum =
icmp->icmp6_cksum;
neighboradvert->nd_na_flags_reserved =
get_int_var_by_name (lexic, "flags", 0);
if (neighboradvert->nd_na_flags_reserved & 0x00000020)
Expand Down

0 comments on commit 38859e5

Please sign in to comment.