CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data

[tcpdump] / print-mobility.c

diff --git a/print-mobility.c b/print-mobility.c
index 8cb32c18a0da8a89e757f44ffe45344c38b3fb5f..36dfbeb8bec8f102f8248ace63e2c54a5aedb8a7 100644 (file)
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -36,11 +36,12 @@
 
 #include <netdissect-stdinc.h>
 
-#include "ip6.h"
 #include "netdissect.h"
 #include "addrtoname.h"
 #include "extract.h"
 
+#include "ip6.h"
+
 static const char tstr[] = "[|MOBILITY]";
 
 /* Mobility header */
@@ -149,6 +150,7 @@ mobility_opt_print(netdissect_options *ndo,
                                goto trunc;
                        }
                        /* units of 4 secs */
+                       ND_TCHECK_16BITS(&bp[i+2]);
                        ND_PRINT((ndo, "(refresh: %u)",
                                EXTRACT_16BITS(&bp[i+2]) << 2));
                        break;