]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-telnet.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CVE-2016-7931/Add bounds and length checks.
[tcpdump] / print-telnet.c
diff --git a/print-telnet.c b/print-telnet.c
index 6a2680b413c8140a76e7da4f017fb342194b8898..a66403468be78646498ca38e4099111cb500e046 100644 (file)
--- a/print-telnet.c
+++ b/print-telnet.c
@@ -45,16 +45,19 @@
  *      are preserved in all copies.
  */
 
  *      are preserved in all copies.
  */
 
-#define NETDISSECT_REWORKED
+/* \summary: Telnet option printer */
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
-#include <tcpdump-stdinc.h>
+#include <netdissect-stdinc.h>
 
 #include <stdio.h>
 
 
 #include <stdio.h>
 
-#include "interface.h"
+#include "netdissect.h"
+
+static const char tstr[] = " [|telnet]";
 
 #define TELCMDS
 #define TELOPTS
 
 #define TELCMDS
 #define TELOPTS
@@ -88,7 +91,7 @@
 #define SYNCH  242             /* for telfunc calls */
 
 #ifdef TELCMDS
 #define SYNCH  242             /* for telfunc calls */
 
 #ifdef TELCMDS
-const char *telcmds[] = {
+static const char *telcmds[] = {
        "EOF", "SUSP", "ABORT", "EOR",
        "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
        "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
        "EOF", "SUSP", "ABORT", "EOR",
        "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
        "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
@@ -149,7 +152,7 @@ extern char *telcmds[];
 
 #define        NTELOPTS        (1+TELOPT_NEW_ENVIRON)
 #ifdef TELOPTS
 
 #define        NTELOPTS        (1+TELOPT_NEW_ENVIRON)
 #ifdef TELOPTS
-const char *telopts[NTELOPTS+1] = {
+static const char *telopts[NTELOPTS+1] = {
        "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
        "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
        "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
        "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
        "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
        "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
@@ -434,6 +437,7 @@ telnet_parse(netdissect_options *ndo, const u_char *sp, u_int length, int print)
                /* IAC SB .... IAC SE */
                p = sp;
                while (length > (u_int)(p + 1 - sp)) {
                /* IAC SB .... IAC SE */
                p = sp;
                while (length > (u_int)(p + 1 - sp)) {
+                       ND_TCHECK2(*p, 2);
                        if (p[0] == IAC && p[1] == SE)
                                break;
                        p++;
                        if (p[0] == IAC && p[1] == SE)
                                break;
                        p++;
@@ -494,7 +498,7 @@ done:
        return sp - osp;
 
 trunc:
        return sp - osp;
 
 trunc:
-       ND_PRINT((ndo, "[|telnet]"));
+       ND_PRINT((ndo, "%s", tstr));
 pktend:
        return -1;
 #undef FETCH
 pktend:
        return -1;
 #undef FETCH
@@ -509,7 +513,12 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
        osp = sp;
 
 
        osp = sp;
 
+       ND_TCHECK(*sp);
        while (length > 0 && *sp == IAC) {
        while (length > 0 && *sp == IAC) {
+               /*
+                * Parse the Telnet command without printing it,
+                * to determine its length.
+                */
                l = telnet_parse(ndo, sp, length, 0);
                if (l < 0)
                        break;
                l = telnet_parse(ndo, sp, length, 0);
                if (l < 0)
                        break;
@@ -533,6 +542,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
                sp += l;
                length -= l;
 
                sp += l;
                length -= l;
+               ND_TCHECK(*sp);
        }
        if (!first) {
                if (ndo->ndo_Xflag && 2 < ndo->ndo_vflag)
        }
        if (!first) {
                if (ndo->ndo_Xflag && 2 < ndo->ndo_vflag)
@@ -540,4 +550,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
                else
                        ND_PRINT((ndo, "]"));
        }
                else
                        ND_PRINT((ndo, "]"));
        }
+       return;
+trunc:
+       ND_PRINT((ndo, "%s", tstr));
 }
 }
[mirror] the TCPdump network dissector