]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-telnet.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check
[tcpdump] / print-telnet.c
diff --git a/print-telnet.c b/print-telnet.c
index ae29b4749a21092f088f8844a2e34d3241884062..10fad9fef7f6a5b8c9a045c8f59eeeccb0873829 100644 (file)
--- a/print-telnet.c
+++ b/print-telnet.c
@@ -45,16 +45,20 @@
  *      are preserved in all copies.
  */
 
  *      are preserved in all copies.
  */
 
+/* \summary: Telnet option printer */
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
-#include <tcpdump-stdinc.h>
+#include <netdissect-stdinc.h>
 
 #include <stdio.h>
 
 #include "netdissect.h"
 
 
 #include <stdio.h>
 
 #include "netdissect.h"
 
+static const char tstr[] = " [|telnet]";
+
 #define TELCMDS
 #define TELOPTS
 
 #define TELCMDS
 #define TELOPTS
 
@@ -87,7 +91,7 @@
 #define SYNCH  242             /* for telfunc calls */
 
 #ifdef TELCMDS
 #define SYNCH  242             /* for telfunc calls */
 
 #ifdef TELCMDS
-const char *telcmds[] = {
+static const char *telcmds[] = {
        "EOF", "SUSP", "ABORT", "EOR",
        "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
        "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
        "EOF", "SUSP", "ABORT", "EOR",
        "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
        "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
@@ -148,7 +152,7 @@ extern char *telcmds[];
 
 #define        NTELOPTS        (1+TELOPT_NEW_ENVIRON)
 #ifdef TELOPTS
 
 #define        NTELOPTS        (1+TELOPT_NEW_ENVIRON)
 #ifdef TELOPTS
-const char *telopts[NTELOPTS+1] = {
+static const char *telopts[NTELOPTS+1] = {
        "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
        "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
        "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
        "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
        "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
        "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
@@ -433,10 +437,12 @@ telnet_parse(netdissect_options *ndo, const u_char *sp, u_int length, int print)
                /* IAC SB .... IAC SE */
                p = sp;
                while (length > (u_int)(p + 1 - sp)) {
                /* IAC SB .... IAC SE */
                p = sp;
                while (length > (u_int)(p + 1 - sp)) {
+                       ND_TCHECK2(*p, 2);
                        if (p[0] == IAC && p[1] == SE)
                                break;
                        p++;
                }
                        if (p[0] == IAC && p[1] == SE)
                                break;
                        p++;
                }
+               ND_TCHECK(*p);
                if (*p != IAC)
                        goto pktend;
 
                if (*p != IAC)
                        goto pktend;
 
@@ -493,7 +499,7 @@ done:
        return sp - osp;
 
 trunc:
        return sp - osp;
 
 trunc:
-       ND_PRINT((ndo, "[|telnet]"));
+       ND_PRINT((ndo, "%s", tstr));
 pktend:
        return -1;
 #undef FETCH
 pktend:
        return -1;
 #undef FETCH
@@ -508,6 +514,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
        osp = sp;
 
 
        osp = sp;
 
+       ND_TCHECK(*sp);
        while (length > 0 && *sp == IAC) {
                /*
                 * Parse the Telnet command without printing it,
        while (length > 0 && *sp == IAC) {
                /*
                 * Parse the Telnet command without printing it,
@@ -536,6 +543,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
                sp += l;
                length -= l;
 
                sp += l;
                length -= l;
+               ND_TCHECK(*sp);
        }
        if (!first) {
                if (ndo->ndo_Xflag && 2 < ndo->ndo_vflag)
        }
        if (!first) {
                if (ndo->ndo_Xflag && 2 < ndo->ndo_vflag)
@@ -543,4 +551,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
                else
                        ND_PRINT((ndo, "]"));
        }
                else
                        ND_PRINT((ndo, "]"));
        }
+       return;
+trunc:
+       ND_PRINT((ndo, "%s", tstr));
 }
 }
[mirror] the TCPdump network dissector