Bounds-check the individual components of a SAP reply.

[tcpdump] / print-frag6.c

diff --git a/print-frag6.c b/print-frag6.c
index 6a85cfe267e9e0c73ebcb8ad3c38903d951a1c65..1fd16f99270ee6250ef9a672c57ab92732fc02a4 100644 (file)
--- a/print-frag6.c
+++ b/print-frag6.c
@@ -20,72 +20,54 @@
  */
 
 #ifndef lint
-static const char rcsid[] =
-    "@(#) /master/usr.sbin/tcpdump/tcpdump/print-icmp.c,v 2.1 1995/02/03 18:14:42 polk Exp (LBL)";
+static const char rcsid[] _U_ =
+    "@(#) $Header: /tcpdump/master/tcpdump/print-frag6.c,v 1.19.2.1 2005-04-20 22:33:21 guy Exp $";
 #endif
 
-#ifdef INET6
-
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <sys/socket.h>
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
 
-#include <net/if.h>
+#ifdef INET6
 
-#include <netinet/in.h>
-#include <netinet/if_ether.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
+#include <tcpdump-stdinc.h>
 
 #include <stdio.h>
 
-#include <netinet/ip6.h>
+#include "ip6.h"
 
 #include "interface.h"
 #include "addrtoname.h"
+#include "extract.h"
 
 int
 frag6_print(register const u_char *bp, register const u_char *bp2)
 {
        register const struct ip6_frag *dp;
        register const struct ip6_hdr *ip6;
-       register const u_char *ep;
-
-#if 0
-#define TCHECK(var) if ((u_char *)&(var) >= ep - sizeof(var)) goto trunc
-#endif
-
-       dp = (struct ip6_frag *)bp;
-       ip6 = (struct ip6_hdr *)bp2;
 
-       /* 'ep' points to the end of avaible data. */
-       ep = snapend;
+       dp = (const struct ip6_frag *)bp;
+       ip6 = (const struct ip6_hdr *)bp2;
 
        TCHECK(dp->ip6f_offlg);
 
        if (vflag) {
-               printf("frag (0x%08x:%d|%d)",
-                      ntohl(dp->ip6f_ident),
-                      ntohs(dp->ip6f_offlg & IP6F_OFF_MASK),
-                      sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) -
-                              (bp - bp2) - sizeof(struct ip6_frag));
+               printf("frag (0x%08x:%d|%ld)",
+                      EXTRACT_32BITS(&dp->ip6f_ident),
+                      EXTRACT_16BITS(&dp->ip6f_offlg) & IP6F_OFF_MASK,
+                      sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen) -
+                              (long)(bp - bp2) - sizeof(struct ip6_frag));
        } else {
-               printf("frag (%d|%d)",
-                      ntohs(dp->ip6f_offlg & IP6F_OFF_MASK),
-                      sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) -
-                              (bp - bp2) - sizeof(struct ip6_frag));
+               printf("frag (%d|%ld)",
+                      EXTRACT_16BITS(&dp->ip6f_offlg) & IP6F_OFF_MASK,
+                      sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen) -
+                              (long)(bp - bp2) - sizeof(struct ip6_frag));
        }
 
-#if 0
+#if 1
        /* it is meaningless to decode non-first fragment */
-       if (ntohs(dp->ip6f_offlg & IP6F_OFF_MASK) != 0)
-               return 65535;
+       if ((EXTRACT_16BITS(&dp->ip6f_offlg) & IP6F_OFF_MASK) != 0)
+               return -1;
        else
 #endif
        {
@@ -94,7 +76,7 @@ frag6_print(register const u_char *bp, register const u_char *bp2)
        }
 trunc:
        fputs("[|frag]", stdout);
-       return 65535;
+       return -1;
 #undef TCHECK
 }
 #endif /* INET6 */