Fixes for undefined behavior in the snmp decoder

[fenner]

These changes fix undefined behavior in the snmp decoder when the underlying representation is of a value larger than 32-bits. The decoder fundamentally doesn't support these values, and the original behavior is GIGO. We retain the same GIGO behavior, but avoiding undefined behavior.

Fixes #1054

[fxlb]

Before

./tcpdump -c1 -#n -r snmp.pcap                                                                                                                                                                 
make: Nothing to be done for 'all'.
reading from file snmp.pcap, link-type RAW (Raw IP), snapshot length 71
    1  20:43:58.1279491072 (invalid us) IP6 [header+payload length 36473 > length 8192] (invalid) a102:11b:100:1:1:1:177:254b > 4800:0:181:fec9:5da8:b2f8:c0a8:1eb: DSTOPT 162 > 54467:  [!init SEQ]33686018

After

./tcpdump -c1 -#n -r snmp.pcap
make: Nothing to be done for 'all'.
reading from file snmp.pcap, link-type RAW (Raw IP), snapshot length 71
    1  20:43:58.1279491072 (invalid us) IP6 [header+payload length 36473 > length 8192] (invalid) a102:11b:100:1:1:1:177:254b > 4800:0:181:fec9:5da8:b2f8:c0a8:1eb: DSTOPT 162 > 54467:  [!init SEQ]-2113797630

Is this OK?

[fxlb]

With the pcap:
snmp.pcap.txt
(fuzzed file)

[guyharris]

Some additional commentary about the method used to store only the low 32 bits (i.e., masking the upper 8 bits away before shifting left by 8 bits), and an indication that this avoids undefined behavior, might be useful

[fenner]

How about

                                /* In order to avoid undefined behavior, we mask off the low
                                 * 24 bits of the data before shifting up by 8 bits.  Either
                                 * way, we lose the top 8 bits, but shifting through the sign
                                 * bit results in undefined data.  If we've shifted the sign
                                 * bit away, we will restore it below. */

[fxlb]

Rebased.
And/or a problem in the IPv6 decoding, because with -v, the output is:

    1  20:43:58.1279491072 (invalid us) IP6 [header+payload length 36473 > length 8192] (invalid) (class 0x50, flowlabel 0x1014d, hlim 178, next-header DSTOPT (60), payload length 36433) a102:11b:100:1:1:1:177:254b > 4800:0:181:fec9:5da8:b2f8:c0a8:1eb: DSTOPT  [remaining length 14 < 236] (invalid)

And no SNMP code path.
I will look at that.

[fxlb]

With a new test file without "IPv6 problem":
Before

./tcpdump --le -c1 -#nv -r snmp1.pcap                                                                                                                                                      
reading from file snmp1.pcap, link-type RAW (Raw IP), snapshot length 71
    1  caplen 71 len 71 20:43:58.1279491072 (invalid us) IP6 [header+payload length 36473 > length 71] (invalid) (class 0x50, flowlabel 0x1014d, hlim 178, next-header DSTOPT (60), payload length 36433) a102:11b:100:1:1:1:177:254b > 4800:0:181:fec9:5da8:b2f8:c0a8:1eb: DSTOPT (unknown opt-type 0x38 len=12) 162 > 54467:  [!init SEQ]33686018

After

./tcpdump --le -c1 -#nv -r snmp1.pcap
reading from file snmp1.pcap, link-type RAW (Raw IP), snapshot length 71
    1  caplen 71 len 71 20:43:58.1279491072 (invalid us) IP6 [header+payload length 36473 > length 71] (invalid) (class 0x50, flowlabel 0x1014d, hlim 178, next-header DSTOPT (60), payload length 36433) a102:11b:100:1:1:1:177:254b > 4800:0:181:fec9:5da8:b2f8:c0a8:1eb: DSTOPT (unknown opt-type 0x38 len=12) 162 > 54467:  [!init SEQ]-2113797630

Is this OK?

[fxlb]

New capture file
snmp1.pcap.txt

[fenner]

Is this OK?

It's using the snmp printer because it's UDP port 162 (trap).

The ASN.1 value is an out of bounds negative number. The old behavior shifted the sign bit away; the new behavior retains the sign bit but the number is still not the one represented in the packet.

I think it's OK.