]> The Tcpdump Group git mirrors - tcpdump/blobdiff - print-fr.c
projects / tcpdump / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
The third argument to linkaddr_string is one of the LINKADDR_ enums.
[tcpdump] / print-fr.c
diff --git a/print-fr.c b/print-fr.c
index 5a7365477e569d2779aa09f8b0c9be9d9c7a237c..59d394171c6276b34279ca860f4d9f3305921feb 100644 (file)
--- a/print-fr.c
+++ b/print-fr.c
@@ -152,7 +152,7 @@ q922_string(netdissect_options *ndo, const u_char *p, u_int length)
     memset(buffer, 0, sizeof(buffer));
 
     if (parse_q922_header(ndo, p, &dlci, &addr_len, &flags, length) == 1){
-        nd_snprintf(buffer, sizeof(buffer), "DLCI %u", dlci);
+        snprintf(buffer, sizeof(buffer), "DLCI %u", dlci);
     }
 
     return buffer;
@@ -276,7 +276,7 @@ fr_print(netdissect_options *ndo,
                         if (ethertype_print(ndo, extracted_ethertype,
                                             p+addr_len+ETHERTYPE_LEN,
                                             length-addr_len-ETHERTYPE_LEN,
-                                            ndo->ndo_snapend-p-addr_len-ETHERTYPE_LEN,
+                                            ND_BYTES_AVAILABLE_AFTER(p)-addr_len-ETHERTYPE_LEN,
                                             NULL, NULL) == 0)
                                 /* ether_type not known, probably it wasn't one */
                                 ND_PRINT("UI %02x! ", GET_U_1(p + addr_len));
@@ -333,7 +333,7 @@ fr_print(netdissect_options *ndo,
                break;
 
        case NLPID_SNAP:
-               if (snap_print(ndo, p, length, ndo->ndo_snapend - p, NULL, NULL, 0) == 0) {
+               if (snap_print(ndo, p, length, ND_BYTES_AVAILABLE_AFTER(p), NULL, NULL, 0) == 0) {
                        /* ether_type not known, print raw packet */
                         if (!ndo->ndo_eflag)
                             fr_hdr_print(ndo, length + hdr_len, hdr_len,
@@ -458,7 +458,13 @@ mfr_print(netdissect_options *ndo,
  */
 
     ndo->ndo_protocol = "mfr";
-    ND_TCHECK_4(p); /* minimum frame header length */
+
+    if (length < 4) {  /* minimum frame header length */
+        ND_PRINT("[length %u < 4]", length);
+        nd_print_invalid(ndo);
+        return length;
+    }
+    ND_TCHECK_4(p);
 
     if ((GET_U_1(p) & MFR_BEC_MASK) == MFR_CTRL_FRAME && GET_U_1(p + 1) == 0) {
         ND_PRINT("FRF.16 Control, Flags [%s], %s, length %u",
@@ -495,6 +501,12 @@ mfr_print(netdissect_options *ndo,
             switch (ie_type) {
 
             case MFR_CTRL_IE_MAGIC_NUM:
+                /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+                if (ie_len != 4) {
+                    ND_PRINT("[IE data length %d != 4]", ie_len);
+                    nd_print_invalid(ndo);
+                    break;
+                }
                 ND_PRINT("0x%08x", GET_BE_U_4(tptr));
                 break;
 
[mirror] the TCPdump network dissector