(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check

[tcpdump] / print-lmp.c

diff --git a/print-lmp.c b/print-lmp.c
index 2edbb581389bbbfeb3863099d57a5668d7f21feb..e83610117844d14bff25816b81e6b75962d3132c 100644 (file)
--- a/print-lmp.c
+++ b/print-lmp.c
@@ -31,6 +31,8 @@
 #include "addrtoname.h"
 #include "gmpls.h"
 
+static const char tstr[] = " [|LMP]";
+
 /*
  * LMP common header
  *
@@ -367,6 +369,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
     } bw;
 
     while (total_subobj_len > 0 && hexdump == FALSE ) {
+       ND_TCHECK_16BITS(obj_tptr + offset);
        subobj_type = EXTRACT_8BITS(obj_tptr + offset);
        subobj_len  = EXTRACT_8BITS(obj_tptr + offset + 1);
        ND_PRINT((ndo, "\n\t    Subobject, Type: %s (%u), Length: %u",
@@ -389,24 +392,29 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
        }
        switch(subobj_type) {
        case INT_SWITCHING_TYPE_SUBOBJ:
+           ND_TCHECK_8BITS(obj_tptr + offset + 2);
            ND_PRINT((ndo, "\n\t      Switching Type: %s (%u)",
                tok2str(gmpls_switch_cap_values,
                        "Unknown",
                        EXTRACT_8BITS(obj_tptr + offset + 2)),
                        EXTRACT_8BITS(obj_tptr + offset + 2)));
+           ND_TCHECK_8BITS(obj_tptr + offset + 3);
            ND_PRINT((ndo, "\n\t      Encoding Type: %s (%u)",
                tok2str(gmpls_encoding_values,
                        "Unknown",
                        EXTRACT_8BITS(obj_tptr + offset + 3)),
                        EXTRACT_8BITS(obj_tptr + offset + 3)));
+           ND_TCHECK_32BITS(obj_tptr + offset + 4);
            bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
            ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
+           ND_TCHECK_32BITS(obj_tptr + offset + 8);
            bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
            ND_PRINT((ndo, "\n\t      Max Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
            break;
        case WAVELENGTH_SUBOBJ:
+           ND_TCHECK_32BITS(obj_tptr + offset + 4);
            ND_PRINT((ndo, "\n\t      Wavelength: %u",
                EXTRACT_32BITS(obj_tptr+offset+4)));
            break;
@@ -419,6 +427,8 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
        offset+=subobj_len;
     }
     return (hexdump);
+trunc:
+    return -1;
 }
 
 void
@@ -429,7 +439,7 @@ lmp_print(netdissect_options *ndo,
     const struct lmp_object_header *lmp_obj_header;
     const u_char *tptr,*obj_tptr;
     u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen;
-    int hexdump;
+    int hexdump, ret;
     u_int offset;
     u_int link_type;
 
@@ -731,7 +741,10 @@ lmp_print(netdissect_options *ndo,
                        ipaddr_string(ndo, obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 
@@ -751,7 +764,10 @@ lmp_print(netdissect_options *ndo,
                        ip6addr_string(ndo, obj_tptr+20),
                        EXTRACT_32BITS(obj_tptr+20)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 
@@ -771,7 +787,10 @@ lmp_print(netdissect_options *ndo,
                        EXTRACT_32BITS(obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 
@@ -1129,7 +1148,7 @@ lmp_print(netdissect_options *ndo,
     }
     return;
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
 }
 /*
  * Local Variables: