]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-fr.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CVE-2017-13687/CHDLC: Improve bounds and length checks.
[tcpdump] / print-fr.c
diff --git a/print-fr.c b/print-fr.c
index 7ce16a5866571241bf61fbfcc61a6b8677f7f203..da7ee25f0ab42c3deac9efdec3cb8342d6f5ef7a 100644 (file)
--- a/print-fr.c
+++ b/print-fr.c
@@ -276,7 +276,8 @@ fr_print(netdissect_options *ndo,
                         if (ethertype_print(ndo, extracted_ethertype,
                                             p+addr_len+ETHERTYPE_LEN,
                                             length-addr_len-ETHERTYPE_LEN,
-                                            length-addr_len-ETHERTYPE_LEN) == 0)
+                                            ndo->ndo_snapend-p-addr_len-ETHERTYPE_LEN,
+                                            NULL, NULL) == 0)
                                 /* ether_type not known, probably it wasn't one */
                                 ND_PRINT((ndo, "UI %02x! ", p[addr_len]));
                         else
@@ -328,11 +329,11 @@ fr_print(netdissect_options *ndo,
        case NLPID_CLNP:
        case NLPID_ESIS:
        case NLPID_ISIS:
-               isoclns_print(ndo, p - 1, length + 1, length + 1); /* OSI printers need the NLPID field */
+               isoclns_print(ndo, p - 1, length + 1, ndo->ndo_snapend - p + 1); /* OSI printers need the NLPID field */
                break;
 
        case NLPID_SNAP:
-               if (snap_print(ndo, p, length, length, NULL, NULL, 0) == 0) {
+               if (snap_print(ndo, p, length, ndo->ndo_snapend - p, NULL, NULL, 0) == 0) {
                        /* ether_type not known, print raw packet */
                         if (!ndo->ndo_eflag)
                             fr_hdr_print(ndo, length + hdr_len, hdr_len,
@@ -619,10 +620,10 @@ frf15_print(netdissect_options *ndo,
  * model is end-to-end or interface based wether we want to print
  * another Q.922 header
  */
-     return;
+    return;
 
 trunc:
-     ND_PRINT((ndo, "[|frf.15]"));
+    ND_PRINT((ndo, "[|frf.15]"));
 }
 
 /*
@@ -905,6 +906,7 @@ q933_print(netdissect_options *ndo,
        ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset));
 
        if (call_ref_length != 0) {
+               ND_TCHECK(p[0]);
                if (call_ref_length > 1 || p[0] != 0) {
                        /*
                         * Not a dummy call reference.
@@ -1092,7 +1094,7 @@ fr_q933_print_ie_codeset_0_5(netdissect_options *ndo, u_int iecode,
                 ND_PRINT((ndo, ", "));
            }
             if (ielength < 2) {
-                ND_PRINT((ndo, "Invalid VERIFY IE"));
+                ND_PRINT((ndo, "Invalid LINK VERIFY IE"));
                 return 1;
             }
             ND_PRINT((ndo, "TX Seq: %3d, RX Seq: %3d", p[0], p[1]));
@@ -1112,7 +1114,7 @@ fr_q933_print_ie_codeset_0_5(netdissect_options *ndo, u_int iecode,
                                    !(p[3] & 0x80))) ||
                 (ielength > 5) ||
                 !(p[ielength - 1] & 0x80)) {
-                ND_PRINT((ndo, "Invalid DLCI IE"));
+                ND_PRINT((ndo, "Invalid DLCI in PVC STATUS IE"));
                 return 1;
            }
 
[mirror] the TCPdump network dissector