]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-rsvp.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Pointers into packet data should usually be pointers to unsigned 1-byte
[tcpdump] / print-rsvp.c
diff --git a/print-rsvp.c b/print-rsvp.c
index fe7d1bdaa74d8753144ee4206c92a52b92c9b3af..98c9e1087a1fa8d7d95141849e55ad19b15a5ba9 100644 (file)
--- a/print-rsvp.c
+++ b/print-rsvp.c
@@ -15,7 +15,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-rsvp.c,v 1.35 2005-04-25 19:28:30 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-rsvp.c,v 1.37 2005-07-11 20:15:33 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -548,7 +548,7 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
     } bw;
     u_int8_t namelen;
 
-    while(tlen>0) {
+    while(tlen>=sizeof(struct rsvp_object_header)) {
         /* did we capture enough for fully decoding the object header ? */
         if (!TTEST2(*tptr, sizeof(struct rsvp_object_header)))
             goto trunc;
@@ -557,7 +557,11 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
         rsvp_obj_len=EXTRACT_16BITS(rsvp_obj_header->length);
         rsvp_obj_ctype=rsvp_obj_header->ctype;
 
-        if(rsvp_obj_len % 4 || rsvp_obj_len < sizeof(struct rsvp_object_header)) {
+        if(rsvp_obj_len % 4) {
+            printf("%sERROR: object header size %u not a multiple of 4", ident, rsvp_obj_len);
+            return -1;
+        }
+        if(rsvp_obj_len < sizeof(struct rsvp_object_header)) {
             printf("%sERROR: object header too short %u < %lu", ident, rsvp_obj_len,
                    (unsigned long)sizeof(const struct rsvp_object_header));
             return -1;
@@ -582,6 +586,11 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
                rsvp_obj_ctype,
                rsvp_obj_len);
     
+        if(tlen < rsvp_obj_len) {
+            printf("%sERROR: object goes past end of objects TLV", ident);
+            return -1;
+        }
+
         obj_tptr=tptr+sizeof(struct rsvp_object_header);
         obj_tlen=rsvp_obj_len-sizeof(struct rsvp_object_header);
 
@@ -599,7 +608,7 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
                 printf("%s  IPv4 DestAddress: %s, Protocol ID: 0x%02x",
                        ident,
                        ipaddr_string(obj_tptr),
-                       *(obj_tptr+4));
+                       *(obj_tptr+sizeof(struct in_addr)));
                 printf("%s  Flags: [0x%02x], DestPort %u",
                        ident,
                        *(obj_tptr+5),
@@ -614,11 +623,11 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
                 printf("%s  IPv6 DestAddress: %s, Protocol ID: 0x%02x",
                        ident,
                        ip6addr_string(obj_tptr),
-                       *(obj_tptr+16));
+                       *(obj_tptr+sizeof(struct in6_addr)));
                 printf("%s  Flags: [0x%02x], DestPort %u",
                        ident,
-                       *(obj_tptr+17),
-                       EXTRACT_16BITS(obj_tptr+18));
+                       *(obj_tptr+sizeof(struct in6_addr)+1),
+                       EXTRACT_16BITS(obj_tptr+sizeof(struct in6_addr)+2));
                 obj_tlen-=20;
                 obj_tptr+=20;                
                 break;
@@ -654,23 +663,23 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
         case RSVP_OBJ_CONFIRM:
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
-                if (obj_tlen < 4)
+                if (obj_tlen < sizeof(struct in_addr))
                     return -1;
                 printf("%s  IPv4 Receiver Address: %s",
                        ident,
                        ipaddr_string(obj_tptr));
-                obj_tlen-=4;
-                obj_tptr+=4;                
+                obj_tlen-=sizeof(struct in_addr);
+                obj_tptr+=sizeof(struct in_addr);                
                 break;
 #ifdef INET6
             case RSVP_CTYPE_IPV6:
-                if (obj_tlen < 16)
+                if (obj_tlen < sizeof(struct in6_addr))
                     return -1;
                 printf("%s  IPv6 Receiver Address: %s",
                        ident,
                        ip6addr_string(obj_tptr));
-                obj_tlen-=16;
-                obj_tptr+=16;                
+                obj_tlen-=sizeof(struct in6_addr);
+                obj_tptr+=sizeof(struct in6_addr);                
                 break;
 #endif
             default:
@@ -681,23 +690,23 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
         case RSVP_OBJ_NOTIFY_REQ:
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
-                if (obj_tlen < 4)
+                if (obj_tlen < sizeof(struct in_addr))
                     return -1;
                 printf("%s  IPv4 Notify Node Address: %s",
                        ident,
                        ipaddr_string(obj_tptr));
-                obj_tlen-=4;
-                obj_tptr+=4;                
+                obj_tlen-=sizeof(struct in_addr);
+                obj_tptr+=sizeof(struct in_addr);                
                 break;
 #ifdef INET6
             case RSVP_CTYPE_IPV6:
-                if (obj_tlen < 16)
+                if (obj_tlen < sizeof(struct in6_addr))
                     return-1;
                 printf("%s  IPv6 Notify Node Address: %s",
                        ident,
                        ip6addr_string(obj_tptr));
-                obj_tlen-=16;
-                obj_tptr+=16;                
+                obj_tlen-=sizeof(struct in6_addr);
+                obj_tptr+=sizeof(struct in6_addr);                
                 break;
 #endif
             default:
@@ -1268,6 +1277,8 @@ rsvp_obj_print (const u_char *tptr, const char *ident, u_int tlen) {
                            *(obj_tptr+1));
                     if (obj_tlen < *(obj_tptr+1))
                         return-1;
+                    if (*(obj_tptr+1) < 2)
+                        return -1;
                     print_unknown_data(obj_tptr+2,"\n\t\t",*(obj_tptr+1)-2);
                     obj_tlen-=*(obj_tptr+1);
                     obj_tptr+=*(obj_tptr+1);
@@ -1422,6 +1433,12 @@ rsvp_print(register const u_char *pptr, register u_int len) {
                 return;
             }
 
+            if (tlen < subtlen) {
+                printf("ERROR: common header too large %u > %u", subtlen,
+                       tlen);
+                return;
+            }
+
             subtptr+=sizeof(const struct rsvp_common_header);
             subtlen-=sizeof(const struct rsvp_common_header);
 
[mirror] the TCPdump network dissector