macsec: further cleanups.

[tcpdump] / print-macsec.c

diff --git a/print-macsec.c b/print-macsec.c
index e5030588587d784def81b73bb4b727686eb80482..a7bde0b959f2a7129c6c523fef554cebd4039636 100644 (file)
--- a/print-macsec.c
+++ b/print-macsec.c
@@ -110,6 +110,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
                ndo->ndo_protocol = save_protocol;
                return hdrlen + caplen;
        }
+       if (length < MACSEC_SECTAG_LEN_NOSCI) {
+               nd_print_trunc(ndo);
+               ndo->ndo_protocol = save_protocol;
+               return hdrlen + caplen;
+       }
 
        if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
                sectag_len = MACSEC_SECTAG_LEN_SCI;
@@ -118,6 +123,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
                        ndo->ndo_protocol = save_protocol;
                        return hdrlen + caplen;
                }
+               if (length < MACSEC_SECTAG_LEN_SCI) {
+                       nd_print_trunc(ndo);
+                       ndo->ndo_protocol = save_protocol;
+                       return hdrlen + caplen;
+               }
        } else
                sectag_len = MACSEC_SECTAG_LEN_NOSCI;
 
@@ -165,8 +175,10 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
                 * ICV length from the lengths, so our caller
                 * doesn't treat it as payload.
                 */
-               *lengthp -= MACSEC_DEFAULT_ICV_LEN;
-               *caplenp -= MACSEC_DEFAULT_ICV_LEN;
+               if (*lengthp >= MACSEC_DEFAULT_ICV_LEN)
+                       *lengthp -= MACSEC_DEFAULT_ICV_LEN;
+               if (*caplenp >= MACSEC_DEFAULT_ICV_LEN)
+                       *caplenp -= MACSEC_DEFAULT_ICV_LEN;
                ndo->ndo_protocol = save_protocol;
                return -1;
        }