X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/11d3a01319e295dcabfb2647302d278938449226..6c8ef0eb86a39c277d1a43802dd8ea01b51cfb2a:/print-802_11.c

diff --git a/print-802_11.c b/print-802_11.c
index 7721524b..50a3e9f5 100644
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -1039,10 +1039,6 @@ parse_elements(netdissect_options *ndo,
 			if (ssid.length != 0) {
 				if (ssid.length > sizeof(ssid.ssid) - 1)
 					return 0;
-				if (!ND_TTEST2(*(p + offset), ssid.length))
-					return 0;
-				if (length < ssid.length)
-					return 0;
 				memcpy(&ssid.ssid, p + offset, ssid.length);
 				offset += ssid.length;
 				length -= ssid.length;
@@ -1068,10 +1064,6 @@ parse_elements(netdissect_options *ndo,
 				if (challenge.length >
 				    sizeof(challenge.text) - 1)
 					return 0;
-				if (!ND_TTEST2(*(p + offset), challenge.length))
-					return 0;
-				if (length < challenge.length)
-					return 0;
 				memcpy(&challenge.text, p + offset,
 				    challenge.length);
 				offset += challenge.length;
@@ -1097,10 +1089,6 @@ parse_elements(netdissect_options *ndo,
 			if (rates.length != 0) {
 				if (rates.length > sizeof rates.rate)
 					return 0;
-				if (!ND_TTEST2(*(p + offset), rates.length))
-					return 0;
-				if (length < rates.length)
-					return 0;
 				memcpy(&rates.rate, p + offset, rates.length);
 				offset += rates.length;
 				length -= rates.length;
@@ -1189,8 +1177,7 @@ parse_elements(netdissect_options *ndo,
 			offset += 3;
 			length -= 3;
 
-			memcpy(tim.bitmap, p + (tim.length - 3),
-			    (tim.length - 3));
+			memcpy(tim.bitmap, p + offset, tim.length - 3);
 			offset += tim.length - 3;
 			length -= tim.length - 3;
 			/*
@@ -2039,7 +2026,7 @@ ieee802_11_print(netdissect_options *ndo,
 {
 	uint16_t fc;
 	u_int caplen, hdrlen, meshdrlen;
-	const uint8_t *src, *dst;
+	struct lladdr_info src, dst;
 	int llc_hdrlen;
 
 	caplen = orig_caplen;
@@ -2071,6 +2058,10 @@ ieee802_11_print(netdissect_options *ndo,
 		hdrlen = roundup2(hdrlen, 4);
 	if (ndo->ndo_Hflag && FC_TYPE(fc) == T_DATA &&
 	    DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
+		if (caplen < hdrlen + 1) {
+			ND_PRINT((ndo, "%s", tstr));
+			return hdrlen;
+		}
 		meshdrlen = extract_mesh_header_length(p+hdrlen);
 		hdrlen += meshdrlen;
 	} else
@@ -2091,10 +2082,12 @@ ieee802_11_print(netdissect_options *ndo,
 	caplen -= hdrlen;
 	p += hdrlen;
 
+	src.addr_string = etheraddr_string;
+	dst.addr_string = etheraddr_string;
 	switch (FC_TYPE(fc)) {
 	case T_MGMT:
-		get_mgmt_src_dst_mac(p - hdrlen, &src, &dst);
-		if (!mgmt_body_print(ndo, fc, src, p, length)) {
+		get_mgmt_src_dst_mac(p - hdrlen, &src.addr, &dst.addr);
+		if (!mgmt_body_print(ndo, fc, src.addr, p, length)) {
 			ND_PRINT((ndo, "%s", tstr));
 			return hdrlen;
 		}
@@ -2116,8 +2109,8 @@ ieee802_11_print(netdissect_options *ndo,
 				return hdrlen;
 			}
 		} else {
-			get_data_src_dst_mac(fc, p - hdrlen, &src, &dst);
-			llc_hdrlen = llc_print(ndo, p, length, caplen, src, dst);
+			get_data_src_dst_mac(fc, p - hdrlen, &src.addr, &dst.addr);
+			llc_hdrlen = llc_print(ndo, p, length, caplen, &src, &dst);
 			if (llc_hdrlen < 0) {
 				/*
 				 * Some kinds of LLC packet we cannot
@@ -3082,7 +3075,7 @@ print_in_radiotap_namespace(netdissect_options *ndo,
 	return 0;
 }
 
-static u_int
+u_int
 ieee802_11_radio_print(netdissect_options *ndo,
                        const u_char *p, u_int length, u_int caplen)
 {
@@ -3112,7 +3105,19 @@ ieee802_11_radio_print(netdissect_options *ndo,
 	hdr = (const struct ieee80211_radiotap_header *)p;
 
 	len = EXTRACT_LE_16BITS(&hdr->it_len);
+	if (len < sizeof(*hdr)) {
+		/*
+		 * The length is the length of the entire header, so
+		 * it must be as large as the fixed-length part of
+		 * the header.
+		 */
+		ND_PRINT((ndo, "%s", tstr));
+		return caplen;
+	}
 
+	/*
+	 * If we don't have the entire radiotap header, just give up.
+	 */
 	if (caplen < len) {
 		ND_PRINT((ndo, "%s", tstr));
 		return caplen;
@@ -3120,13 +3125,13 @@ ieee802_11_radio_print(netdissect_options *ndo,
 	cpack_init(&cpacker, (const uint8_t *)hdr, len); /* align against header start */
 	cpack_advance(&cpacker, sizeof(*hdr)); /* includes the 1st bitmap */
 	for (last_presentp = &hdr->it_present;
-	     IS_EXTENDED(last_presentp) &&
-	     (const u_char*)(last_presentp + 1) <= p + len;
+	     (const u_char*)(last_presentp + 1) <= p + len &&
+	     IS_EXTENDED(last_presentp);
 	     last_presentp++)
 	  cpack_advance(&cpacker, sizeof(hdr->it_present)); /* more bitmaps */
 
 	/* are there more bitmap extensions than bytes in header? */
-	if (IS_EXTENDED(last_presentp)) {
+	if ((const u_char*)(last_presentp + 1) > p + len) {
 		ND_PRINT((ndo, "%s", tstr));
 		return caplen;
 	}