(for 4.9.3) CVE-2018-14461/LDP: Fix a bounds check

[tcpdump] / print-ldp.c

diff --git a/print-ldp.c b/print-ldp.c
index 1bb27fe4169535619ac2f0cf8ce048625de0f5f4..afd943d0a5e593fe53697dfc52cc818f086ed5a2 100644 (file)
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -29,6 +29,8 @@
 #include "l2vpn.h"
 #include "af.h"
 
+static const char tstr[] = " [|LDP]";
+
 /*
  * ldp common header
  *
@@ -486,7 +488,7 @@ ldp_tlv_print(netdissect_options *ndo,
        break;
 
     case LDP_TLV_FT_SESSION:
-       TLV_TCHECK(8);
+       TLV_TCHECK(12);
        ft_flags = EXTRACT_16BITS(tptr);
        ND_PRINT((ndo, "\n\t      Flags: [%sReconnect, %sSave State, %sAll-Label Protection, %s Checkpoint, %sRe-Learn State]",
               ft_flags&0x8000 ? "" : "No ",
@@ -494,6 +496,7 @@ ldp_tlv_print(netdissect_options *ndo,
               ft_flags&0x4 ? "" : "No ",
               ft_flags&0x2 ? "Sequence Numbered Label" : "All Labels",
               ft_flags&0x1 ? "" : "Don't "));
+       /* 16 bits (FT Flags) + 16 bits (Reserved) */
        tptr+=4;
        ui = EXTRACT_32BITS(tptr);
        if (ui)
@@ -534,7 +537,7 @@ ldp_tlv_print(netdissect_options *ndo,
     return(tlv_len+4); /* Type & Length fields not included */
 
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 
 badtlv:
@@ -692,7 +695,7 @@ ldp_pdu_print(netdissect_options *ndo,
     }
     return pdu_len+4;
 trunc:
-    ND_PRINT((ndo, "\n\t\t packet exceeded snapshot"));
+    ND_PRINT((ndo, "%s", tstr));
     return 0;
 }