switch(tlv_type) {
case LS_OPAQUE_TE_TLV_LINK:
- while (tlv_length >= sizeof(subtlv_type) + sizeof(subtlv_length)) {
+ while (tlv_length != 0) {
if (tlv_length < 4) {
ND_PRINT("\n\t Remaining TLV length %u < 4",
tlv_length);
return -1;
}
- ND_TCHECK_4(tptr);
subtlv_type = GET_BE_U_2(tptr);
subtlv_length = GET_BE_U_2(tptr + 2);
tptr+=4;
subtlv_type,
subtlv_length);
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length + 4, subtlv_length + 4);
+ return -1;
+ }
ND_TCHECK_LEN(tptr, subtlv_length);
switch(subtlv_type) {
case LS_OPAQUE_TE_LINK_SUBTLV_ADMIN_GROUP:
if (subtlv_length%4 != 0)
subtlv_length+=4-(subtlv_length%4);
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length + 4, subtlv_length + 4);
+ return -1;
+ }
tlv_length-=subtlv_length;
tptr+=subtlv_length;
ND_PRINT("\n\t TLV length %u < 4", tlv_length);
return -1;
}
- ND_TCHECK_4(tptr);
ND_PRINT(", %s", GET_IPADDR_STRING(tptr));
break;
/* in OSPF everything has to be 32-bit aligned, including TLVs */
if (tlv_length%4 != 0)
tlv_length+=4-(tlv_length%4);
+ if (tlv_length > ls_length) {
+ ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
+ ls_length);
+ return -1;
+ }
ls_length-=tlv_length;
tptr+=tlv_length;
}
u_int ls_type;
u_int ls_length;
- ND_TCHECK_2(lshp->ls_length);
ls_length = GET_BE_U_2(lshp->ls_length);
if (ls_length < sizeof(struct lsa_hdr)) {
ND_PRINT("\n\t Bogus length %u < header (%zu)", ls_length,
sizeof(struct lsa_hdr));
return(-1);
}
-
- ND_TCHECK_4(lshp->ls_seq); /* XXX - ls_length check checked this */
ND_PRINT("\n\t Advertising Router %s, seq 0x%08x, age %us, length %u",
GET_IPADDR_STRING(lshp->ls_router),
GET_BE_U_4(lshp->ls_seq),
GET_BE_U_2(lshp->ls_age),
ls_length - (u_int)sizeof(struct lsa_hdr));
-
- ND_TCHECK_1(lshp->ls_type); /* XXX - ls_length check checked this */
ls_type = GET_U_1(lshp->ls_type);
switch (ls_type) {
/* the LSA header for opaque LSAs was slightly changed */
GET_IPADDR_STRING(lshp->un_lsa_id.lsa_id));
break;
}
-
- ND_TCHECK_1(lshp->ls_options); /* XXX - ls_length check checked this */
ND_PRINT("\n\t Options: [%s]",
bittok2str(ospf_option_values, "none", GET_U_1(lshp->ls_options)));
return (ls_length);
-trunc:
- return (-1);
}
/* draft-ietf-ospf-mt-09 */
const struct aslametric *almp;
const struct mcla *mcp;
const uint8_t *lp;
- int j, tlv_type, tlv_length, topology;
- int ls_length;
+ u_int tlv_type, tlv_length, rla_count, topology;
+ int ospf_print_lshdr_ret;
+ u_int ls_length;
const uint8_t *tptr;
tptr = (const uint8_t *)lsap->lsa_un.un_unknown; /* squelch compiler warnings */
- ls_length = ospf_print_lshdr(ndo, &lsap->ls_hdr);
- if (ls_length == -1)
- return(NULL);
+ ospf_print_lshdr_ret = ospf_print_lshdr(ndo, &lsap->ls_hdr);
+ if (ospf_print_lshdr_ret < 0)
+ return(NULL);
+ ls_length = (u_int)ospf_print_lshdr_ret;
ls_end = (const uint8_t *)lsap + ls_length;
+ /*
+ * ospf_print_lshdr() returns -1 if the length is too short,
+ * so we know ls_length is >= sizeof(struct lsa_hdr).
+ */
ls_length -= sizeof(struct lsa_hdr);
switch (GET_U_1(lsap->ls_hdr.ls_type)) {
case LS_TYPE_ROUTER:
- ND_TCHECK_1(lsap->lsa_un.un_rla.rla_flags);
ND_PRINT("\n\t Router LSA Options: [%s]",
bittok2str(ospf_rla_flag_values, "none", GET_U_1(lsap->lsa_un.un_rla.rla_flags)));
- ND_TCHECK_2(lsap->lsa_un.un_rla.rla_count);
- j = GET_BE_U_2(lsap->lsa_un.un_rla.rla_count);
+ rla_count = GET_BE_U_2(lsap->lsa_un.un_rla.rla_count);
ND_TCHECK_SIZE(lsap->lsa_un.un_rla.rla_link);
rlp = lsap->lsa_un.un_rla.rla_link;
- while (j--) {
+ for (u_int i = rla_count; i != 0; i--) {
ND_TCHECK_SIZE(rlp);
switch (GET_U_1(rlp->un_tos.link.link_type)) {
break;
case LS_TYPE_NETWORK:
- ND_TCHECK_4(lsap->lsa_un.un_nla.nla_mask);
ND_PRINT("\n\t Mask %s\n\t Connected Routers:",
GET_IPADDR_STRING(lsap->lsa_un.un_nla.nla_mask));
ap = lsap->lsa_un.un_nla.nla_router;
while (lp < ls_end) {
uint32_t ul;
- ND_TCHECK_4(lp);
ul = GET_BE_U_4(lp);
topology = (ul & SLA_MASK_TOS) >> SLA_SHIFT_TOS;
ND_PRINT("\n\t\ttopology %s (%u) metric %u",
while (lp < ls_end) {
uint32_t ul;
- ND_TCHECK_4(lp);
ul = GET_BE_U_4(lp);
topology = (ul & SLA_MASK_TOS) >> SLA_SHIFT_TOS;
ND_PRINT("\n\t\ttopology %s (%u) metric %u",
while ((const u_char *)almp < ls_end) {
uint32_t ul;
- ND_TCHECK_4(almp->asla_tosmetric);
ul = GET_BE_U_4(almp->asla_tosmetric);
topology = ((ul & ASLA_MASK_TOS) >> ASLA_SHIFT_TOS);
ND_PRINT("\n\t\ttopology %s (%u), type %u, metric",
else
ND_PRINT(" %u", (ul & ASLA_MASK_METRIC));
- ND_TCHECK_4(almp->asla_forward);
if (GET_IPV4_TO_NETWORK_ORDER(almp->asla_forward) != 0) {
ND_PRINT(", forward %s", GET_IPADDR_STRING(almp->asla_forward));
}
- ND_TCHECK_4(almp->asla_tag);
if (GET_IPV4_TO_NETWORK_ORDER(almp->asla_tag) != 0) {
ND_PRINT(", tag %s", GET_IPADDR_STRING(almp->asla_tag));
}
/* Multicast extensions as of 23 July 1991 */
mcp = lsap->lsa_un.un_mcla;
while ((const u_char *)mcp < ls_end) {
- ND_TCHECK_4(mcp->mcla_vid);
switch (GET_BE_U_4(mcp->mcla_vtype)) {
case MCLA_VERTEX_ROUTER:
case LS_OPAQUE_TYPE_RI:
tptr = (const uint8_t *)(lsap->lsa_un.un_ri_tlv);
- while (ls_length != 0) {
+ u_int ls_length_remaining = ls_length;
+ while (ls_length_remaining != 0) {
ND_TCHECK_4(tptr);
- if (ls_length < 4) {
- ND_PRINT("\n\t Remaining LS length %u < 4", ls_length);
+ if (ls_length_remaining < 4) {
+ ND_PRINT("\n\t Remaining LS length %u < 4", ls_length_remaining);
return(ls_end);
}
tlv_type = GET_BE_U_2(tptr);
tlv_length = GET_BE_U_2(tptr + 2);
tptr+=4;
- ls_length-=4;
+ ls_length_remaining-=4;
ND_PRINT("\n\t %s TLV (%u), length: %u, value: ",
tok2str(lsa_opaque_ri_tlv_values,"unknown",tlv_type),
tlv_type,
tlv_length);
- if (tlv_length > ls_length) {
- ND_PRINT("\n\t Bogus length %u > %u", tlv_length,
- ls_length);
+ if (tlv_length > ls_length_remaining) {
+ ND_PRINT("\n\t Bogus length %u > remaining LS length %u", tlv_length,
+ ls_length_remaining);
return(ls_end);
}
ND_TCHECK_LEN(tptr, tlv_length);
}
tptr+=tlv_length;
- ls_length-=tlv_length;
+ ls_length_remaining-=tlv_length;
}
break;
ND_PRINT("\n\t[LLS truncated]");
return (1);
}
- ND_TCHECK_2(dptr);
ND_PRINT("\n\t LLS: checksum: 0x%04x", (u_int) GET_BE_U_2(dptr));
dptr += 2;
- ND_TCHECK_2(dptr);
length2 = GET_BE_U_2(dptr);
ND_PRINT(", length: %u", length2);
dptr += 2;
- ND_TCHECK_1(dptr);
while (dptr < dataend) {
- ND_TCHECK_2(dptr);
lls_type = GET_BE_U_2(dptr);
ND_PRINT("\n\t %s (%u)",
tok2str(ospf_lls_tlv_values,"Unknown TLV",lls_type),
lls_type);
dptr += 2;
- ND_TCHECK_2(dptr);
lls_len = GET_BE_U_2(dptr);
ND_PRINT(", length: %u", lls_len);
dptr += 2;
ND_PRINT(" [should be 4]");
lls_len = 4;
}
- ND_TCHECK_4(dptr);
lls_flags = GET_BE_U_4(dptr);
ND_PRINT("\n\t Options: 0x%08x [%s]", lls_flags,
bittok2str(ospf_lls_eo_options, "?", lls_flags));
ND_PRINT(" [should be 20]");
lls_len = 20;
}
- ND_TCHECK_4(dptr);
ND_PRINT("\n\t Sequence number: 0x%08x", GET_BE_U_4(dptr));
break;
}
}
return (0);
-trunc:
- return (1);
}
static int
switch (GET_U_1(op->ospf_type)) {
case OSPF_TYPE_HELLO:
- ND_TCHECK_1(op->ospf_hello.hello_options);
ND_PRINT("\n\tOptions [%s]",
bittok2str(ospf_option_values,"none",GET_U_1(op->ospf_hello.hello_options)));
- ND_TCHECK_4(op->ospf_hello.hello_deadint);
ND_PRINT("\n\t Hello Timer %us, Dead Timer %us, Mask %s, Priority %u",
GET_BE_U_2(op->ospf_hello.hello_helloint),
GET_BE_U_4(op->ospf_hello.hello_deadint),
GET_IPADDR_STRING(op->ospf_hello.hello_mask),
GET_U_1(op->ospf_hello.hello_priority));
- ND_TCHECK_4(op->ospf_hello.hello_dr);
if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_hello.hello_dr) != 0)
ND_PRINT("\n\t Designated Router %s",
GET_IPADDR_STRING(op->ospf_hello.hello_dr));
- ND_TCHECK_4(op->ospf_hello.hello_bdr);
if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_hello.hello_bdr) != 0)
ND_PRINT(", Backup Designated Router %s",
GET_IPADDR_STRING(op->ospf_hello.hello_bdr));
break; /* HELLO */
case OSPF_TYPE_DD:
- ND_TCHECK_1(op->ospf_db.db_options);
ND_PRINT("\n\tOptions [%s]",
bittok2str(ospf_option_values, "none", GET_U_1(op->ospf_db.db_options)));
- ND_TCHECK_1(op->ospf_db.db_flags);
ND_PRINT(", DD Flags [%s]",
bittok2str(ospf_dd_flag_values, "none", GET_U_1(op->ospf_db.db_flags)));
- ND_TCHECK_2(op->ospf_db.db_ifmtu);
if (GET_BE_U_2(op->ospf_db.db_ifmtu)) {
ND_PRINT(", MTU: %u",
GET_BE_U_2(op->ospf_db.db_ifmtu));
}
- ND_TCHECK_4(op->ospf_db.db_seq);
ND_PRINT(", Sequence: 0x%08x", GET_BE_U_4(op->ospf_db.db_seq));
/* Print all the LS adv's */
case OSPF_TYPE_LS_UPDATE:
lsap = op->ospf_lsu.lsu_lsa;
- ND_TCHECK_4(op->ospf_lsu.lsu_count);
lsa_count_max = GET_BE_U_4(op->ospf_lsu.lsu_count);
ND_PRINT(", %u LSA%s", lsa_count_max, PLURAL_SUFFIX(lsa_count_max));
for (lsa_count=1;lsa_count <= lsa_count_max;lsa_count++) {
op = (const struct ospfhdr *)bp;
/* XXX Before we do anything else, strip off the MD5 trailer */
- ND_TCHECK_2(op->ospf_authtype);
if (GET_BE_U_2(op->ospf_authtype) == OSPF_AUTH_MD5) {
length -= OSPF_AUTH_MD5_LEN;
ndo->ndo_snapend -= OSPF_AUTH_MD5_LEN;
/* If the type is valid translate it, or just print the type */
/* value. If it's not valid, say so and return */
- ND_TCHECK_1(op->ospf_type);
cp = tok2str(type2str, "unknown LS-type %u", GET_U_1(op->ospf_type));
ND_PRINT("OSPFv%u, %s, length %u", GET_U_1(op->ospf_version), cp,
length);
return;
}
- ND_TCHECK_2(op->ospf_len);
if (length != GET_BE_U_2(op->ospf_len)) {
ND_PRINT(" [len %u]", GET_BE_U_2(op->ospf_len));
}
dataend = bp + length;
}
- ND_TCHECK_4(op->ospf_routerid);
ND_PRINT("\n\tRouter-ID %s", GET_IPADDR_STRING(op->ospf_routerid));
- ND_TCHECK_4(op->ospf_areaid);
if (GET_IPV4_TO_NETWORK_ORDER(op->ospf_areaid) != 0)
ND_PRINT(", Area %s", GET_IPADDR_STRING(op->ospf_areaid));
else
projects / tcpdump / blobdiff