}
/* in OSPF everything has to be 32-bit aligned, including TLVs */
- if (tlv_length%4 != 0)
+ if (tlv_length%4 != 0) {
tlv_length+=4-(tlv_length%4);
+ if (tlv_length > ls_length) {
+ ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
+ ls_length);
+ return -1;
+ }
+ }
ls_length-=tlv_length;
tptr+=tlv_length;
}
if (tlv_length < subtlv_length) {
ND_PRINT("\n\t Remaining TLV length %u < %u",
- tlv_length + 4, subtlv_length + 4);
+ tlv_length, subtlv_length);
return -1;
}
ND_TCHECK_LEN(tptr, subtlv_length);
break;
}
/* in OSPF everything has to be 32-bit aligned, including subTLVs */
- if (subtlv_length%4 != 0)
+ if (subtlv_length%4 != 0) {
subtlv_length+=4-(subtlv_length%4);
- if (tlv_length < subtlv_length) {
- ND_PRINT("\n\t Remaining TLV length %u < %u",
- tlv_length + 4, subtlv_length + 4);
- return -1;
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length, subtlv_length);
+ return -1;
+ }
}
tlv_length-=subtlv_length;
tptr+=subtlv_length;
break;
}
/* in OSPF everything has to be 32-bit aligned, including TLVs */
- if (tlv_length%4 != 0)
+ if (tlv_length%4 != 0) {
tlv_length+=4-(tlv_length%4);
- if (tlv_length > ls_length) {
- ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
- ls_length);
- return -1;
+ if (tlv_length > ls_length) {
+ ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
+ ls_length);
+ return -1;
+ }
}
ls_length-=tlv_length;
tptr+=tlv_length;
subtlv_type,
subtlv_length);
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length, subtlv_length);
+ return -1;
+ }
+
switch (subtlv_type) {
case LS_OPAQUE_RI_SUBTLV_SID_LABEL:
if (subtlv_length == 3) {
/* in OSPF everything has to be 32-bit aligned, including subTLVs */
if (subtlv_length % 4) {
subtlv_length += (4 - (subtlv_length % 4));
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length, subtlv_length);
+ return -1;
+ }
}
tptr+=subtlv_length;
tlv_length-=subtlv_length;
subtlv_type,
subtlv_length);
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length, subtlv_length);
+ return -1;
+ }
+
switch (subtlv_type) {
case LS_OPAQUE_EP_SUBTLV_PREFIX_SID:
flags = GET_U_1(tptr);
/* in OSPF everything has to be 32-bit aligned, including subTLVs */
if (subtlv_length % 4) {
subtlv_length += (4 - (subtlv_length % 4));
+ if (tlv_length < subtlv_length) {
+ ND_PRINT("\n\t Remaining TLV length %u < %u",
+ tlv_length, subtlv_length);
+ return -1;
+ }
}
tptr+=subtlv_length;
tlv_length-=subtlv_length;
tlv_type,
tlv_length);
+ if (tlv_length > lsa_length) {
+ ND_PRINT("\n\t Bogus length %u > %u",
+ tlv_length, lsa_length);
+ return -1;
+ }
+
switch (tlv_type) {
case LS_OPAQUE_EP_EXTD_PREFIX_TLV:
prefix_length = GET_U_1(tptr+1);
/* in OSPF everything has to be 32-bit aligned, including TLVs */
if (tlv_length % 4) {
tlv_length += (4 - (tlv_length % 4));
+ if (tlv_length > lsa_length) {
+ ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
+ lsa_length);
+ return -1;
+ }
}
tptr+=tlv_length;
lsa_length-=tlv_length;
/* in OSPF everything has to be 32-bit aligned, including TLVs */
if (tlv_length % 4) {
tlv_length += (4 - (tlv_length % 4));
+ if (tlv_length > ls_length_remaining) {
+ ND_PRINT("\n\t Bogus padded length %u > %u", tlv_length,
+ ls_length_remaining);
+ return(NULL);
+ }
}
tptr+=tlv_length;
ls_length_remaining-=tlv_length;
projects / tcpdump / blobdiff