CVE-2016-7931/Add bounds and length checks.

[tcpdump] / print-telnet.c

diff --git a/print-telnet.c b/print-telnet.c
index 2e32fce8af89e7320a96770b986dbeeec8200b99..a66403468be78646498ca38e4099111cb500e046 100644 (file)
--- a/print-telnet.c
+++ b/print-telnet.c
@@ -57,6 +57,8 @@
 
 #include "netdissect.h"
 
+static const char tstr[] = " [|telnet]";
+
 #define TELCMDS
 #define TELOPTS
 
@@ -435,6 +437,7 @@ telnet_parse(netdissect_options *ndo, const u_char *sp, u_int length, int print)
                /* IAC SB .... IAC SE */
                p = sp;
                while (length > (u_int)(p + 1 - sp)) {
+                       ND_TCHECK2(*p, 2);
                        if (p[0] == IAC && p[1] == SE)
                                break;
                        p++;
@@ -495,7 +498,7 @@ done:
        return sp - osp;
 
 trunc:
-       ND_PRINT((ndo, "[|telnet]"));
+       ND_PRINT((ndo, "%s", tstr));
 pktend:
        return -1;
 #undef FETCH
@@ -510,6 +513,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
        osp = sp;
 
+       ND_TCHECK(*sp);
        while (length > 0 && *sp == IAC) {
                /*
                 * Parse the Telnet command without printing it,
@@ -538,6 +542,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
 
                sp += l;
                length -= l;
+               ND_TCHECK(*sp);
        }
        if (!first) {
                if (ndo->ndo_Xflag && 2 < ndo->ndo_vflag)
@@ -545,4 +550,7 @@ telnet_print(netdissect_options *ndo, const u_char *sp, u_int length)
                else
                        ND_PRINT((ndo, "]"));
        }
+       return;
+trunc:
+       ND_PRINT((ndo, "%s", tstr));
 }