X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/568d18f6eafb8df0d2500652b1cad49618051349..39f09d68ce7ebe9e229c9bf5209bfc30a8f51064:/print-tcp.c

diff --git a/print-tcp.c b/print-tcp.c
index 0d62c4a9..0c250a07 100644
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -44,6 +44,8 @@ __RCSID("$NetBSD: print-tcp.c,v 1.8 2007/07/24 11:53:48 drochner Exp $");
 #include "addrtoname.h"
 #include "extract.h"
 
+#include "diag-control.h"
+
 #include "tcp.h"
 
 #include "ip.h"
@@ -173,6 +175,7 @@ tcp_print(netdissect_options *ndo,
         uint16_t magic;
         int rev;
         const struct ip6_hdr *ip6;
+        u_int header_len;	/* Header length in bytes */
 
         ndo->ndo_protocol = "tcp";
         tp = (const struct tcphdr *)bp;
@@ -612,7 +615,7 @@ tcp_print(netdissect_options *ndo,
                                 break;
 
                         case TCPOPT_MPTCP:
-			    {
+                            {
                                 const u_char *snapend_save;
                                 int ret;
 
@@ -623,6 +626,13 @@ tcp_print(netdissect_options *ndo,
                                  * only do ND_TCHECK_LEN() if it returned 0.
                                  */
                                 ND_TCHECK_LEN(cp, datalen);
+                                /* Update the snapend to the end of the option
+                                 * before calling mptcp_print(). Some options
+                                 * (MPTCP or others) may be present after a
+                                 * MPTCP option. This prevents that, in
+                                 * mptcp_print(), the remaining length < the
+                                 * remaining caplen.
+                                 */
                                 snapend_save = ndo->ndo_snapend;
                                 ndo->ndo_snapend = ND_MIN(cp - 2 + len,
                                                           ndo->ndo_snapend);
@@ -704,7 +714,17 @@ tcp_print(netdissect_options *ndo,
         /*
          * Decode payload if necessary.
          */
-        bp += TH_OFF(tp) * 4;
+        header_len = TH_OFF(tp) * 4;
+        /*
+         * Do a bounds check before decoding the payload.
+         * At least the header data is required.
+         */
+        if (!ND_TTEST_LEN(bp, header_len)) {
+                ND_PRINT(" [remaining caplen(%u) < header length(%u)]",
+                         ND_BYTES_AVAILABLE_AFTER(bp), header_len);
+                nd_trunc_longjmp(ndo);
+        }
+        bp += header_len;
         if ((flags & TH_RST) && ndo->ndo_vflag) {
                 print_tcp_rst_data(ndo, bp, length);
                 return;
@@ -865,7 +885,7 @@ print_tcp_fastopen_option(netdissect_options *ndo, const u_char *cp,
 }
 
 #ifdef HAVE_LIBCRYPTO
-USES_APPLE_DEPRECATED_API
+DIAG_OFF_DEPRECATION
 static int
 tcp_verify_signature(netdissect_options *ndo,
                      const struct ip *ip, const struct tcphdr *tp,
@@ -945,5 +965,5 @@ tcp_verify_signature(netdissect_options *ndo,
         else
                 return (SIGNATURE_INVALID);
 }
-USES_APPLE_RST
+DIAG_ON_DEPRECATION
 #endif /* HAVE_LIBCRYPTO */