X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/1ed63b5d0630a4b5b4a8d31174d9f3e95a970913..a8c33a5850cd9d2f39e56c06b645c283225d78c4:/print-fr.c

diff --git a/print-fr.c b/print-fr.c
index 22561a23..59d39417 100644
--- a/print-fr.c
+++ b/print-fr.c
@@ -458,7 +458,13 @@ mfr_print(netdissect_options *ndo,
  */
 
     ndo->ndo_protocol = "mfr";
-    ND_TCHECK_4(p); /* minimum frame header length */
+
+    if (length < 4) {	/* minimum frame header length */
+        ND_PRINT("[length %u < 4]", length);
+        nd_print_invalid(ndo);
+        return length;
+    }
+    ND_TCHECK_4(p);
 
     if ((GET_U_1(p) & MFR_BEC_MASK) == MFR_CTRL_FRAME && GET_U_1(p + 1) == 0) {
         ND_PRINT("FRF.16 Control, Flags [%s], %s, length %u",
@@ -495,6 +501,12 @@ mfr_print(netdissect_options *ndo,
             switch (ie_type) {
 
             case MFR_CTRL_IE_MAGIC_NUM:
+                /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+                if (ie_len != 4) {
+                    ND_PRINT("[IE data length %d != 4]", ie_len);
+                    nd_print_invalid(ndo);
+                    break;
+                }
                 ND_PRINT("0x%08x", GET_BE_U_4(tptr));
                 break;