CVE-2017-13029/PPP: Fix a bounds check, and clean up other bounds checks.

[tcpdump] / print-pim.c

diff --git a/print-pim.c b/print-pim.c
index ed880ae72db09c7efa77a216538f17be089b1bd7..ee18d958132e84d3b5e0f5afebc59fac63eb423e 100644 (file)
--- a/print-pim.c
+++ b/print-pim.c
@@ -730,7 +730,11 @@ pimv2_print(netdissect_options *ndo,
 
                        switch (otype) {
                        case PIMV2_HELLO_OPTION_HOLDTIME:
-                               unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
+                               if (olen != 2) {
+                                       ND_PRINT((ndo, "ERROR: Option Length != 2 Bytes (%u)", olen));
+                               } else {
+                                       unsigned_relts_print(ndo, EXTRACT_16BITS(bp));
+                               }
                                break;
 
                        case PIMV2_HELLO_OPTION_LANPRUNEDELAY:
@@ -764,17 +768,25 @@ pimv2_print(netdissect_options *ndo,
                                break;
 
                        case PIMV2_HELLO_OPTION_GENID:
-                               ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
+                               if (olen != 4) {
+                                       ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
+                               } else {
+                                       ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(bp)));
+                               }
                                break;
 
                        case PIMV2_HELLO_OPTION_REFRESH_CAP:
-                               ND_PRINT((ndo, "v%d", *bp));
-                               if (*(bp+1) != 0) {
-                                       ND_PRINT((ndo, ", interval "));
-                                       unsigned_relts_print(ndo, *(bp+1));
-                               }
-                               if (EXTRACT_16BITS(bp+2) != 0) {
-                                       ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
+                               if (olen != 4) {
+                                       ND_PRINT((ndo, "ERROR: Option Length != 4 Bytes (%u)", olen));
+                               } else {
+                                       ND_PRINT((ndo, "v%d", *bp));
+                                       if (*(bp+1) != 0) {
+                                               ND_PRINT((ndo, ", interval "));
+                                               unsigned_relts_print(ndo, *(bp+1));
+                                       }
+                                       if (EXTRACT_16BITS(bp+2) != 0) {
+                                               ND_PRINT((ndo, " ?0x%04x?", EXTRACT_16BITS(bp+2)));
+                                       }
                                }
                                break;