X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/49b23c5a9b0198bb382dcf43c458d46fcf2fa809..6c8ef0eb86a39c277d1a43802dd8ea01b51cfb2a:/print-hncp.c?ds=sidebyside

diff --git a/print-hncp.c b/print-hncp.c
index 87ee8bbb..c20d1e1a 100644
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -68,8 +68,8 @@ hncp_print(netdissect_options *ndo,
 #define HNCP_EXTERNAL_CONNECTION   33
 #define HNCP_DELEGATED_PREFIX      34
 #define HNCP_PREFIX_POLICY         43
-#define HNCP_DHCPV4_DATA           37
-#define HNCP_DHCPV6_DATA           38
+#define HNCP_DHCPV4_DATA           37 /* This is correct, see RFC 7788 Errata ID 5113. */
+#define HNCP_DHCPV6_DATA           38 /* idem */
 #define HNCP_ASSIGNED_PREFIX       35
 #define HNCP_NODE_ADDRESS          36
 #define HNCP_DNS_DELEGATED_ZONE    39
@@ -158,10 +158,10 @@ is_ipv4_mapped_address(const u_char *addr)
 static const char *
 format_nid(const u_char *data)
 {
-    static char buf[4][11+5];
+    static char buf[4][sizeof("01:01:01:01")];
     static int i = 0;
     i = (i + 1) % 4;
-    snprintf(buf[i], 16, "%02x:%02x:%02x:%02x",
+    snprintf(buf[i], sizeof(buf[i]), "%02x:%02x:%02x:%02x",
              data[0], data[1], data[2], data[3]);
     return buf[i];
 }
@@ -169,10 +169,10 @@ format_nid(const u_char *data)
 static const char *
 format_256(const u_char *data)
 {
-    static char buf[4][64+5];
+    static char buf[4][sizeof("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")];
     static int i = 0;
     i = (i + 1) % 4;
-    snprintf(buf[i], 28, "%016" PRIx64 "%016" PRIx64 "%016" PRIx64 "%016" PRIx64,
+    snprintf(buf[i], sizeof(buf[i]), "%016" PRIx64 "%016" PRIx64 "%016" PRIx64 "%016" PRIx64,
          EXTRACT_64BITS(data),
          EXTRACT_64BITS(data + 8),
          EXTRACT_64BITS(data + 16),
@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
     } else {
         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
+        if (plenbytes < 0)
+            return plenbytes;
     }
 
     ND_PRINT((ndo, "%s", buf));
@@ -270,6 +272,8 @@ dhcpv4_print(netdissect_options *ndo,
 
     i = 0;
     while (i < length) {
+        if (i + 2 > length)
+            return -1;
         tlv = cp + i;
         type = (uint8_t)tlv[0];
         optlen = (uint8_t)tlv[1];
@@ -281,6 +285,8 @@ dhcpv4_print(netdissect_options *ndo,
 
         ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type)));
         ND_PRINT((ndo," (%u)", optlen + 2 ));
+        if (i + 2 + optlen > length)
+            return -1;
 
         switch (type) {
         case DH4OPT_DNS_SERVERS:
@@ -318,6 +324,8 @@ dhcpv6_print(netdissect_options *ndo,
 
     i = 0;
     while (i < length) {
+        if (i + 4 > length)
+            return -1;
         tlv = cp + i;
         type = EXTRACT_16BITS(tlv);
         optlen = EXTRACT_16BITS(tlv + 2);
@@ -329,6 +337,8 @@ dhcpv6_print(netdissect_options *ndo,
 
         ND_PRINT((ndo, "%s", tok2str(dh6opt_str, "Unknown", type)));
         ND_PRINT((ndo," (%u)", optlen + 4 ));
+        if (i + 4 + optlen > length)
+            return -1;
 
         switch (type) {
             case DH6OPT_DNS_SERVERS: