]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-ip6.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CVE-2017-12985/IPv6: Check for print routines returning -1 when running past the...
[tcpdump] / print-ip6.c
diff --git a/print-ip6.c b/print-ip6.c
index 0075fcea2e51a389638bf48fbf33f73b72141fec..f2f56efb5459fdc2bd63db686afc2fba15d73144 100644 (file)
--- a/print-ip6.c
+++ b/print-ip6.c
@@ -280,6 +280,8 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
        advance = sizeof(struct ip6_hdr);
        nh = ip6->ip6_nxt;
        while (cp < ndo->ndo_snapend && advance > 0) {
+               if (len < (u_int)advance)
+                       goto trunc;
                cp += advance;
                len -= advance;
 
@@ -322,10 +324,15 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
                         * mobility header.
                         */
                        advance = mobility_print(ndo, cp, (const u_char *)ip6);
+                       if (advance < 0)
+                               return;
                        nh = *cp;
                        return;
                case IPPROTO_ROUTING:
+                       ND_TCHECK(*cp);
                        advance = rt6_print(ndo, cp, (const u_char *)ip6);
+                       if (advance < 0)
+                               return;
                        nh = *cp;
                        break;
                case IPPROTO_SCTP:
@@ -345,12 +352,16 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
                        return;
                case IPPROTO_AH:
                        advance = ah_print(ndo, cp);
+                       if (advance < 0)
+                               return;
                        nh = *cp;
                        break;
                case IPPROTO_ESP:
                    {
                        int enh, padlen;
                        advance = esp_print(ndo, cp, len, (const u_char *)ip6, &enh, &padlen);
+                       if (advance < 0)
+                               return;
                        nh = enh & 0xff;
                        len -= padlen;
                        break;
[mirror] the TCPdump network dissector