Fixed a bug in PPI and Dot1Q triggered when constructing from buffer/serializing. Done some documentation fixes.

2026-01-30 05:24:26 +01:00 · 2013-09-22 19:37:02 -03:00
parent 74ef177e25
commit 2414edd1e7
10 changed files with 243 additions and 96 deletions
--- a/src/dot11/dot11_base.cpp
+++ b/src/dot11/dot11_base.cpp
@@ -96,7 +96,7 @@ void Dot11::parse_tagged_parameters(const uint8_t *buffer, uint32_t total_sz) {

 void Dot11::add_tagged_option(OptionTypes opt, uint8_t len, const uint8_t *val) {
    uint32_t opt_size = len + sizeof(uint8_t) * 2;
-    _options.push_back(option((uint8_t)opt, len, val));
+    _options.push_back(option((uint8_t)opt, val, val + len));
    _options_size += opt_size;
 }

--- a/src/dot11/dot11_control.cpp
+++ b/src/dot11/dot11_control.cpp
@@ -58,7 +58,7 @@ Dot11ControlTA::Dot11ControlTA(const uint8_t *buffer, uint32_t total_sz) : Dot11
    buffer += sizeof(ieee80211_header);
    total_sz -= sizeof(ieee80211_header);
    if(total_sz < sizeof(_taddr))
-        throw std::runtime_error("Not enough size for an IEEE 802.11 RTS frame in the buffer.");
+        throw malformed_packet();
    //std::memcpy(_taddr, buffer, sizeof(_taddr));
    _taddr = buffer;
 }
@@ -166,7 +166,7 @@ Dot11BlockAckRequest::Dot11BlockAckRequest(const uint8_t *buffer, uint32_t total
    buffer += padding;
    total_sz -= padding;
    if(total_sz < sizeof(_bar_control) + sizeof(_start_sequence))
-        throw std::runtime_error("Not enough size for an IEEE 802.11 Block Ack frame in the buffer.");
+        throw malformed_packet();
    std::memcpy(&_bar_control, buffer, sizeof(_bar_control));
    buffer += sizeof(_bar_control);
    std::memcpy(&_start_sequence, buffer, sizeof(_start_sequence));
@@ -230,7 +230,7 @@ Dot11BlockAck::Dot11BlockAck(const uint8_t *buffer, uint32_t total_sz) : Dot11Co
    buffer += padding;
    total_sz -= padding;
    if(total_sz < sizeof(_bitmap) + sizeof(_bar_control) + sizeof(_start_sequence))
-        throw std::runtime_error("Not enough size for an IEEE 802.11 Block Ack frame in the buffer.");
+        throw malformed_packet();
    std::memcpy(&_bar_control, buffer, sizeof(_bar_control));
    buffer += sizeof(_bar_control);
    std::memcpy(&_start_sequence, buffer, sizeof(_start_sequence));
--- a/src/dot11/dot11_mgmt.cpp
+++ b/src/dot11/dot11_mgmt.cpp
@@ -189,12 +189,13 @@ void Dot11ManagementFrame::request_information(const request_info_type elements)
    delete[] buffer;
 }

-void Dot11ManagementFrame::fh_parameter_set(fh_params_set fh_params) {
-    fh_params.dwell_time = Endian::host_to_le(fh_params.dwell_time);
-    fh_params.hop_set = fh_params.hop_set;
-    fh_params.hop_pattern = fh_params.hop_pattern;
-    fh_params.hop_index = fh_params.hop_index;
-    add_tagged_option(FH_SET, sizeof(fh_params_set), (uint8_t*)&fh_params);
+void Dot11ManagementFrame::fh_parameter_set(const fh_params_set &fh_params) {
+    uint8_t data[5];
+    *(uint16_t*)data = Endian::host_to_le(fh_params.dwell_time);
+    data[2] = fh_params.hop_set;
+    data[3] = fh_params.hop_pattern;
+    data[4] = fh_params.hop_index;
+    add_tagged_option(FH_SET, sizeof(data), data);

 }

@@ -202,12 +203,17 @@ void Dot11ManagementFrame::ds_parameter_set(uint8_t current_channel) {
    add_tagged_option(DS_SET, 1, &current_channel);
 }

-void Dot11ManagementFrame::cf_parameter_set(cf_params_set params) {
-    params.cfp_count = params.cfp_count;
+void Dot11ManagementFrame::cf_parameter_set(const cf_params_set &params) {
+    uint8_t data[6];
+    data[0] = params.cfp_count;
+    data[1] = params.cfp_period;
+    *(uint16_t*)&data[2] = Endian::host_to_le(params.cfp_max_duration);
+    *(uint16_t*)&data[4] = Endian::host_to_le(params.cfp_dur_remaining);
+    /*params.cfp_count = params.cfp_count;
    params.cfp_period = params.cfp_period;
    params.cfp_max_duration = Endian::host_to_le(params.cfp_max_duration);
-    params.cfp_dur_remaining = Endian::host_to_le(params.cfp_dur_remaining);
-    add_tagged_option(CF_SET, sizeof(params), (uint8_t*)&params);
+    params.cfp_dur_remaining = Endian::host_to_le(params.cfp_dur_remaining);*/
+    add_tagged_option(CF_SET, sizeof(data), data);
 }

 void Dot11ManagementFrame::ibss_parameter_set(uint16_t atim_window) {
@@ -266,7 +272,7 @@ void Dot11ManagementFrame::fh_pattern_table(const fh_pattern_type &params) {
    *(ptr++) = params.number_of_sets;
    *(ptr++) = params.modulus;
    *(ptr++) = params.offset;
-    fh_pattern_type::container_type::const_iterator it(params.random_table.begin());
+    byte_array::const_iterator it(params.random_table.begin());
    for(; it != params.random_table.end(); ++it)
        *(ptr++) = *it;
    add_tagged_option(HOPPING_PATTERN_TABLE, data.size(), &data[0]);
@@ -355,6 +361,16 @@ void Dot11ManagementFrame::challenge_text(const std::string &text) {
    );
 }

+void Dot11ManagementFrame::vendor_specific(const vendor_specific_type &data) {
+    byte_array buffer(3 + data.data.size());
+    std::copy(
+        data.data.begin(),
+        data.data.end(),
+        data.oui.copy(buffer.begin())
+    );
+    add_tagged_option(VENDOR_SPECIFIC, buffer.size(), &buffer[0]);
+}
+
 // Getters

 RSNInformation Dot11ManagementFrame::rsn_information() {
@@ -428,13 +444,13 @@ Dot11ManagementFrame::request_info_type Dot11ManagementFrame::request_informatio

 Dot11ManagementFrame::fh_params_set Dot11ManagementFrame::fh_parameter_set() const {
    const Dot11::option *option = search_option(FH_SET);
-    if(!option || option->data_size() != sizeof(fh_params_set))
+    if(!option || option->data_size() != 5)
        throw option_not_found();
-    fh_params_set output = *reinterpret_cast<const fh_params_set*>(option->data_ptr());
-    output.dwell_time = Endian::le_to_host(output.dwell_time);
-    output.hop_set = output.hop_set;
-    output.hop_pattern = output.hop_pattern;
-    output.hop_index = output.hop_index;
+    fh_params_set output;
+    output.dwell_time = Endian::le_to_host(*(uint16_t*)option->data_ptr());
+    output.hop_set = option->data_ptr()[2];
+    output.hop_pattern = option->data_ptr()[3];
+    output.hop_index = option->data_ptr()[4];
    return output;
 }

@@ -445,6 +461,18 @@ uint8_t Dot11ManagementFrame::ds_parameter_set() const {
    return *option->data_ptr();
 }

+Dot11ManagementFrame::cf_params_set Dot11ManagementFrame::cf_parameter_set() const {
+    const Dot11::option *option = search_option(CF_SET);
+    if(!option || option->data_size() != 6)
+        throw option_not_found();
+    cf_params_set output;
+    output.cfp_count = *option->data_ptr();
+    output.cfp_period = option->data_ptr()[1];
+    output.cfp_max_duration = Endian::le_to_host(*(uint16_t*)&option->data_ptr()[2]);
+    output.cfp_dur_remaining = Endian::le_to_host(*(uint16_t*)&option->data_ptr()[4]);
+    return output;
+}
+
 uint16_t Dot11ManagementFrame::ibss_parameter_set() const {
    const Dot11::option *option = search_option(IBSS_SET);
    if(!option || option->data_size() != sizeof(uint16_t))
@@ -598,4 +626,22 @@ std::string Dot11ManagementFrame::challenge_text() const {
    return std::string(option->data_ptr(), option->data_ptr() + option->data_size());
 }

+Dot11ManagementFrame::vendor_specific_type Dot11ManagementFrame::vendor_specific() const {
+    const Dot11::option *option = search_option(VENDOR_SPECIFIC);
+    if(!option || option->data_size() < 3)
+        throw option_not_found();
+    return vendor_specific_type::from_bytes(option->data_ptr(), option->data_size());
+}
+
+Dot11ManagementFrame::vendor_specific_type 
+  Dot11ManagementFrame::vendor_specific_type::from_bytes(const uint8_t *buffer, uint32_t sz) 
+{
+    if(sz < 3)
+        throw malformed_option();
+    return vendor_specific_type(
+        buffer, 
+        byte_array(buffer + 3, buffer + sz)
+    );
+}
+
 } // namespace Tins
--- a/src/dot1q.cpp
+++ b/src/dot1q.cpp
@@ -111,7 +111,9 @@ void Dot1Q::write_serialization(uint8_t *buffer, uint32_t total_sz, const PDU *)
    }
    std::memcpy(buffer, &_header, sizeof(_header));
    
-    buffer += sizeof(_header) + inner_pdu()->size();
+    buffer += sizeof(_header);
+    if(inner_pdu())
+        buffer += inner_pdu()->size();
    std::fill(buffer, buffer + trailer, 0);
 }

--- a/src/ppi.cpp
+++ b/src/ppi.cpp
@@ -47,7 +47,7 @@ PPI::PPI(const uint8_t *buffer, uint32_t total_sz) {
    if(total_sz < sizeof(_header))
        throw malformed_packet();
    std::memcpy(&_header, buffer, sizeof(_header));
-    if(length() > total_sz)
+    if(length() > total_sz || length() < sizeof(_header))
        throw malformed_packet();
    buffer += sizeof(_header);
    total_sz -= sizeof(_header);
--- a/src/radiotap.cpp
+++ b/src/radiotap.cpp
@@ -72,7 +72,7 @@ RadioTap::RadioTap(const uint8_t *buffer, uint32_t total_sz)
    check_size(total_sz, sizeof(_radio));
    const uint8_t *buffer_start = buffer;
    std::memcpy(&_radio, buffer, sizeof(_radio));
-    uint32_t radiotap_hdr_size = Endian::le_to_host(_radio.it_len);
+    uint32_t radiotap_hdr_size = length();
    check_size(total_sz, radiotap_hdr_size);
    buffer += sizeof(_radio);
    radiotap_hdr_size -= sizeof(_radio);
@@ -132,14 +132,14 @@ RadioTap::RadioTap(const uint8_t *buffer, uint32_t total_sz)
        read_field(buffer, radiotap_hdr_size, _max_power);
    }

-    total_sz -= Endian::le_to_host(_radio.it_len);
+    total_sz -= length();
    buffer += radiotap_hdr_size;

    if(_radio.flags && (flags() & FCS) != 0) {
        check_size(total_sz, sizeof(uint32_t));
        total_sz -= sizeof(uint32_t);
        if((flags() & FAILED_FCS) !=0)
-                throw malformed_packet();
+            throw malformed_packet();
    }

    if(total_sz)