X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/4d55e684438d8b443879c4bca1324bbbf18a114f..9f957a5883cb4c5c99cefa71b42fc9d2d27d73e1:/print-bgp.c

diff --git a/print-bgp.c b/print-bgp.c
index c551e381..c401d004 100644
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -1396,7 +1396,8 @@ trunc:
  * and if so it checks that standard BGP doesn't make sense.
  */
 static int
-check_add_path(const u_char *pptr, u_int length, u_int max_prefix_length)
+check_add_path(netdissect_options *ndo, const u_char *pptr, u_int length,
+               u_int max_prefix_length)
 {
     u_int offset, prefix_length;
 
@@ -1407,6 +1408,7 @@ check_add_path(const u_char *pptr, u_int length, u_int max_prefix_length)
     /* check if it could be add path */
     for (offset = 0; offset < length;) {
         offset += 4;
+        ND_TCHECK_1(pptr + offset);
         prefix_length = EXTRACT_U_1(pptr + offset);
         /*
          * Add 4 to cover the path id
@@ -1425,6 +1427,7 @@ check_add_path(const u_char *pptr, u_int length, u_int max_prefix_length)
 
     /* check it's not standard BGP */
     for (offset = 0; offset < length; ) {
+        ND_TCHECK_1(pptr + offset);
         prefix_length = EXTRACT_U_1(pptr + offset);
         /*
          * If the prefix_length is zero (0.0.0.0/0)
@@ -1442,6 +1445,8 @@ check_add_path(const u_char *pptr, u_int length, u_int max_prefix_length)
 
     /* assume not add-path by default */
     return 0;
+trunc:
+    return -1;
 }
 
 static int
@@ -1832,8 +1837,12 @@ bgp_attr_print(netdissect_options *ndo,
             ND_PRINT((ndo, ", no SNPA"));
         }
 
-        add_path4 = check_add_path(tptr, (len-(tptr - pptr)), 32);
-        add_path6 = check_add_path(tptr, (len-(tptr - pptr)), 128);
+        add_path4 = check_add_path(ndo, tptr, (len-(tptr - pptr)), 32);
+        if (add_path4 == -1)
+            goto trunc;
+        add_path6 = check_add_path(ndo, tptr, (len-(tptr - pptr)), 128);
+        if (add_path6 == -1)
+            goto trunc;
 
         while (tptr < pptr + len) {
             switch (af<<8 | safi) {
@@ -2017,8 +2026,12 @@ bgp_attr_print(netdissect_options *ndo,
 
         tptr += 3;
 
-        add_path4 = check_add_path(tptr, (len-(tptr - pptr)), 32);
-        add_path6 = check_add_path(tptr, (len-(tptr - pptr)), 128);
+        add_path4 = check_add_path(ndo, tptr, (len-(tptr - pptr)), 32);
+        if (add_path4 == -1)
+            goto trunc;
+        add_path6 = check_add_path(ndo, tptr, (len-(tptr - pptr)), 128);
+        if (add_path6 == -1)
+            goto trunc;
 
         while (tptr < pptr + len) {
             switch (af<<8 | safi) {
@@ -2665,7 +2678,9 @@ bgp_update_print(netdissect_options *ndo,
         if (length < withdrawn_routes_len)
             goto trunc;
         ND_PRINT((ndo, "\n\t  Withdrawn routes:"));
-        add_path = check_add_path(p, withdrawn_routes_len, 32);
+        add_path = check_add_path(ndo, p, withdrawn_routes_len, 32);
+        if (add_path == -1)
+            goto trunc;
         while (withdrawn_routes_len != 0) {
             if (add_path) {
             	if (withdrawn_routes_len < 4) {
@@ -2768,7 +2783,9 @@ bgp_update_print(netdissect_options *ndo,
     }
 
     if (length) {
-        add_path = check_add_path(p, length, 32);
+        add_path = check_add_path(ndo, p, length, 32);
+        if (add_path == -1)
+            goto trunc;
         ND_PRINT((ndo, "\n\t  Updated routes:"));
         while (length != 0) {
             if (add_path) {