Avoid -E and -M options inconsistencies with no libcrypto

[tcpdump] / print-ip.c

diff --git a/print-ip.c b/print-ip.c
index 5edc62215e2751d4d5f4dfb65b517f6faaf191c0..9621dada32b1821e51ba960f6f722b2d9b86b2c4 100644 (file)
--- a/print-ip.c
+++ b/print-ip.c
@@ -358,9 +358,11 @@ ip_print(netdissect_options *ndo,
 
        ND_TCHECK_SIZE(ip);
        /*
-        * Cut off the snapshot length to the end of the IP payload.
+        * Cut off the snapshot length to the end of the IP payload
+        * or the end of the data in which it's contained, whichever
+        * comes first.
         */
-       if (!nd_push_snaplen(ndo, bp, len)) {
+       if (!nd_push_snaplen(ndo, bp, ND_MIN(length, len))) {
                (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
                        "%s: can't push snaplen on buffer stack", __func__);
        }
@@ -414,7 +416,7 @@ ip_print(netdissect_options *ndo,
            else
                 ND_PRINT(", length %u", GET_BE_U_2(ip->ip_len));
 
-            if ((hlen - sizeof(struct ip)) > 0) {
+            if ((hlen > sizeof(struct ip))) {
                 ND_PRINT(", options (");
                 if (ip_optprint(ndo, (const u_char *)(ip + 1),
                     hlen - sizeof(struct ip)) == -1) {
@@ -424,7 +426,7 @@ ip_print(netdissect_options *ndo,
                 ND_PRINT(")");
             }
 
-           if (!ndo->ndo_Kflag && (const u_char *)ip + hlen <= ndo->ndo_snapend) {
+           if (!ndo->ndo_Kflag && ND_TTEST_LEN((const u_char *)ip, hlen)) {
                vec[0].ptr = (const uint8_t *)(const void *)ip;
                vec[0].len = hlen;
                sum = in_cksum(vec, 1);