Handle very large -f files by rejecting them.

[tcpdump] / print-bootp.c

diff --git a/print-bootp.c b/print-bootp.c
index d6be1d5b631a509f6067adce944713850d076b4e..c076f4250756e241ffa6333fd2dfdf33dcefca77 100644 (file)
--- a/print-bootp.c
+++ b/print-bootp.c
@@ -293,6 +293,7 @@ bootp_print(netdissect_options *ndo,
        ND_PRINT((ndo, "BOOTP/DHCP, %s",
                  tok2str(bootp_op_values, "unknown (0x%02x)", bp->bp_op)));
 
+       ND_TCHECK(bp->bp_hlen);
        if (bp->bp_htype == 1 && bp->bp_hlen == 6 && bp->bp_op == BOOTPREQUEST) {
                ND_TCHECK2(bp->bp_chaddr[0], 6);
                ND_PRINT((ndo, " from %s", etheraddr_string(ndo, bp->bp_chaddr)));
@@ -321,6 +322,7 @@ bootp_print(netdissect_options *ndo,
        if (EXTRACT_16BITS(&bp->bp_secs))
                ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs)));
 
+       ND_TCHECK(bp->bp_flags);
        ND_PRINT((ndo, ", Flags [%s]",
                  bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags))));
        if (ndo->ndo_vflag > 1)
@@ -355,7 +357,8 @@ bootp_print(netdissect_options *ndo,
        ND_TCHECK2(bp->bp_sname[0], 1);         /* check first char only */
        if (*bp->bp_sname) {
                ND_PRINT((ndo, "\n\t  sname \""));
-               if (fn_print(ndo, bp->bp_sname, ndo->ndo_snapend)) {
+               if (fn_printztn(ndo, bp->bp_sname, (u_int)sizeof bp->bp_sname,
+                   ndo->ndo_snapend) == 0) {
                        ND_PRINT((ndo, "\""));
                        ND_PRINT((ndo, "%s", tstr + 1));
                        return;
@@ -365,7 +368,8 @@ bootp_print(netdissect_options *ndo,
        ND_TCHECK2(bp->bp_file[0], 1);          /* check first char only */
        if (*bp->bp_file) {
                ND_PRINT((ndo, "\n\t  file \""));
-               if (fn_print(ndo, bp->bp_file, ndo->ndo_snapend)) {
+               if (fn_printztn(ndo, bp->bp_file, (u_int)sizeof bp->bp_file,
+                   ndo->ndo_snapend) == 0) {
                        ND_PRINT((ndo, "\""));
                        ND_PRINT((ndo, "%s", tstr + 1));
                        return;
@@ -374,7 +378,7 @@ bootp_print(netdissect_options *ndo,
        }
 
        /* Decode the vendor buffer */
-       ND_TCHECK(bp->bp_vend[0]);
+       ND_TCHECK2(bp->bp_vend[0], 4);
        if (memcmp((const char *)bp->bp_vend, vm_rfc1048,
                    sizeof(uint32_t)) == 0)
                rfc1048_print(ndo, bp->bp_vend);
@@ -384,6 +388,7 @@ bootp_print(netdissect_options *ndo,
        else {
                uint32_t ul;
 
+               ND_TCHECK_32BITS(&bp->bp_vend);
                ul = EXTRACT_32BITS(&bp->bp_vend);
                if (ul != 0)
                        ND_PRINT((ndo, "\n\t  Vendor-#0x%x", ul));