]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-ldp.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
(for 4.9.3) CVE-2018-14470/Babel: fix an existing length check
[tcpdump] / print-ldp.c
diff --git a/print-ldp.c b/print-ldp.c
index 68149bba2447f988dc3ef94f9da2c30465649e2f..1bb27fe4169535619ac2f0cf8ce048625de0f5f4 100644 (file)
--- a/print-ldp.c
+++ b/print-ldp.c
@@ -10,7 +10,7 @@
  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE.
  *
  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE.
  *
- * Original code by Hannes Gredler (hannes@juniper.net)
+ * Original code by Hannes Gredler (hannes@gredler.at)
  *  and Steinar Haug ([email protected])
  */
 
  *  and Steinar Haug ([email protected])
  */
 
@@ -210,7 +210,7 @@ static const struct tok ldp_fec_martini_ifparm_vccv_cv_values[] = {
     { 0, NULL}
 };
 
     { 0, NULL}
 };
 
-static int ldp_pdu_print(netdissect_options *, register const u_char *);
+static u_int ldp_pdu_print(netdissect_options *, register const u_char *);
 
 /*
  * ldp tlv header
 
 /*
  * ldp tlv header
@@ -379,17 +379,21 @@ ldp_tlv_print(netdissect_options *ndo,
        case LDP_FEC_HOSTADDRESS:
            break;
        case LDP_FEC_MARTINI_VC:
        case LDP_FEC_HOSTADDRESS:
            break;
        case LDP_FEC_MARTINI_VC:
+            /*
+             * We assume the type was supposed to be one of the MPLS
+             * Pseudowire Types.
+             */
+            TLV_TCHECK(7);
+            vc_info_len = *(tptr+2);
+
             /*
             * According to RFC 4908, the VC info Length field can be zero,
             * in which case not only are there no interface parameters,
             * there's no VC ID.
             */
             /*
             * According to RFC 4908, the VC info Length field can be zero,
             * in which case not only are there no interface parameters,
             * there's no VC ID.
             */
-            TLV_TCHECK(7);
-            vc_info_len = *(tptr+2);
-
             if (vc_info_len == 0) {
                 ND_PRINT((ndo, ": %s, %scontrol word, group-ID %u, VC-info-length: %u",
             if (vc_info_len == 0) {
                 ND_PRINT((ndo, ": %s, %scontrol word, group-ID %u, VC-info-length: %u",
-                       tok2str(l2vpn_encaps_values, "Unknown", EXTRACT_16BITS(tptr)&0x7fff),
+                       tok2str(mpls_pw_types_values, "Unknown", EXTRACT_16BITS(tptr)&0x7fff),
                        EXTRACT_16BITS(tptr)&0x8000 ? "" : "no ",
                        EXTRACT_32BITS(tptr+3),
                        vc_info_len));
                        EXTRACT_16BITS(tptr)&0x8000 ? "" : "no ",
                        EXTRACT_32BITS(tptr+3),
                        vc_info_len));
@@ -399,7 +403,7 @@ ldp_tlv_print(netdissect_options *ndo,
             /* Make sure we have the VC ID as well */
             TLV_TCHECK(11);
            ND_PRINT((ndo, ": %s, %scontrol word, group-ID %u, VC-ID %u, VC-info-length: %u",
             /* Make sure we have the VC ID as well */
             TLV_TCHECK(11);
            ND_PRINT((ndo, ": %s, %scontrol word, group-ID %u, VC-ID %u, VC-info-length: %u",
-                  tok2str(l2vpn_encaps_values, "Unknown", EXTRACT_16BITS(tptr)&0x7fff),
+                  tok2str(mpls_pw_types_values, "Unknown", EXTRACT_16BITS(tptr)&0x7fff),
                   EXTRACT_16BITS(tptr)&0x8000 ? "" : "no ",
                    EXTRACT_32BITS(tptr+3),
                   EXTRACT_32BITS(tptr+7),
                   EXTRACT_16BITS(tptr)&0x8000 ? "" : "no ",
                    EXTRACT_32BITS(tptr+3),
                   EXTRACT_32BITS(tptr+7),
@@ -542,17 +546,23 @@ void
 ldp_print(netdissect_options *ndo,
           register const u_char *pptr, register u_int len)
 {
 ldp_print(netdissect_options *ndo,
           register const u_char *pptr, register u_int len)
 {
-    int processed;
+    u_int processed;
     while (len > (sizeof(struct ldp_common_header) + sizeof(struct ldp_msg_header))) {
         processed = ldp_pdu_print(ndo, pptr);
         if (processed == 0)
             return;
     while (len > (sizeof(struct ldp_common_header) + sizeof(struct ldp_msg_header))) {
         processed = ldp_pdu_print(ndo, pptr);
         if (processed == 0)
             return;
+        if (len < processed) {
+            ND_PRINT((ndo, " [remaining length %u < %u]", len, processed));
+            ND_PRINT((ndo, "%s", istr));
+            break;
+
+        }
         len -= processed;
         pptr += processed;
     }
 }
 
         len -= processed;
         pptr += processed;
     }
 }
 
-static int
+static u_int
 ldp_pdu_print(netdissect_options *ndo,
               register const u_char *pptr)
 {
 ldp_pdu_print(netdissect_options *ndo,
               register const u_char *pptr)
 {
[mirror] the TCPdump network dissector