]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-bootp.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CVE-2017-13045/VQP: add some bounds checks
[tcpdump] / print-bootp.c
diff --git a/print-bootp.c b/print-bootp.c
index d6be1d5b631a509f6067adce944713850d076b4e..d87911fdb206af48ffeffec146f849f48d9c175c 100644 (file)
--- a/print-bootp.c
+++ b/print-bootp.c
@@ -293,6 +293,7 @@ bootp_print(netdissect_options *ndo,
        ND_PRINT((ndo, "BOOTP/DHCP, %s",
                  tok2str(bootp_op_values, "unknown (0x%02x)", bp->bp_op)));
 
+       ND_TCHECK(bp->bp_hlen);
        if (bp->bp_htype == 1 && bp->bp_hlen == 6 && bp->bp_op == BOOTPREQUEST) {
                ND_TCHECK2(bp->bp_chaddr[0], 6);
                ND_PRINT((ndo, " from %s", etheraddr_string(ndo, bp->bp_chaddr)));
@@ -321,6 +322,7 @@ bootp_print(netdissect_options *ndo,
        if (EXTRACT_16BITS(&bp->bp_secs))
                ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs)));
 
+       ND_TCHECK(bp->bp_flags);
        ND_PRINT((ndo, ", Flags [%s]",
                  bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags))));
        if (ndo->ndo_vflag > 1)
@@ -355,7 +357,8 @@ bootp_print(netdissect_options *ndo,
        ND_TCHECK2(bp->bp_sname[0], 1);         /* check first char only */
        if (*bp->bp_sname) {
                ND_PRINT((ndo, "\n\t  sname \""));
-               if (fn_print(ndo, bp->bp_sname, ndo->ndo_snapend)) {
+               if (fn_printztn(ndo, bp->bp_sname, (u_int)sizeof bp->bp_sname,
+                   ndo->ndo_snapend)) {
                        ND_PRINT((ndo, "\""));
                        ND_PRINT((ndo, "%s", tstr + 1));
                        return;
@@ -365,7 +368,8 @@ bootp_print(netdissect_options *ndo,
        ND_TCHECK2(bp->bp_file[0], 1);          /* check first char only */
        if (*bp->bp_file) {
                ND_PRINT((ndo, "\n\t  file \""));
-               if (fn_print(ndo, bp->bp_file, ndo->ndo_snapend)) {
+               if (fn_printztn(ndo, bp->bp_file, (u_int)sizeof bp->bp_file,
+                   ndo->ndo_snapend)) {
                        ND_PRINT((ndo, "\""));
                        ND_PRINT((ndo, "%s", tstr + 1));
                        return;
[mirror] the TCPdump network dissector