X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/59415dcb22a2724032249c6fca2616cd3b92dfd2..c0de704a5331dd3b9bd060dd0969163025186c0e:/print-isoclns.c diff --git a/print-isoclns.c b/print-isoclns.c index a3215a8d..4b9106b2 100644 --- a/print-isoclns.c +++ b/print-isoclns.c @@ -26,7 +26,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.137 2005-04-25 18:50:35 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.154 2005-11-12 22:22:59 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -110,7 +110,9 @@ static struct tok isis_pdu_values[] = { #define ISIS_TLV_LSP 9 /* iso10589 */ #define ISIS_TLV_AUTH 10 /* iso10589, rfc3567 */ #define ISIS_TLV_CHECKSUM 12 /* rfc3358 */ +#define ISIS_TLV_CHECKSUM_MINLEN 2 #define ISIS_TLV_LSP_BUFFERSIZE 14 /* iso10589 rev2 */ +#define ISIS_TLV_LSP_BUFFERSIZE_MINLEN 2 #define ISIS_TLV_EXT_IS_REACH 22 /* draft-ietf-isis-traffic-05 */ #define ISIS_TLV_IS_ALIAS_ID 24 /* draft-ietf-isis-ext-lsp-frags-02 */ #define ISIS_TLV_DECNET_PHASE4 42 @@ -119,6 +121,7 @@ static struct tok isis_pdu_values[] = { #define ISIS_TLV_PROTOCOLS 129 /* rfc1195 */ #define ISIS_TLV_EXT_IP_REACH 130 /* rfc1195, rfc2966 */ #define ISIS_TLV_IDRP_INFO 131 /* rfc1195 */ +#define ISIS_TLV_IDRP_INFO_MINLEN 1 #define ISIS_TLV_IPADDR 132 /* rfc1195 */ #define ISIS_TLV_IPAUTH 133 /* rfc1195 */ #define ISIS_TLV_TE_ROUTER_ID 134 /* draft-ietf-isis-traffic-05 */ @@ -127,16 +130,21 @@ static struct tok isis_pdu_values[] = { #define ISIS_TLV_SHARED_RISK_GROUP 138 /* draft-ietf-isis-gmpls-extensions */ #define ISIS_TLV_NORTEL_PRIVATE1 176 #define ISIS_TLV_NORTEL_PRIVATE2 177 -#define ISIS_TLV_RESTART_SIGNALING 211 /* draft-ietf-isis-restart-01 */ +#define ISIS_TLV_RESTART_SIGNALING 211 /* rfc3847 */ +#define ISIS_TLV_RESTART_SIGNALING_FLAGLEN 1 +#define ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN 2 #define ISIS_TLV_MT_IS_REACH 222 /* draft-ietf-isis-wg-multi-topology-05 */ #define ISIS_TLV_MT_SUPPORTED 229 /* draft-ietf-isis-wg-multi-topology-05 */ +#define ISIS_TLV_MT_SUPPORTED_MINLEN 2 #define ISIS_TLV_IP6ADDR 232 /* draft-ietf-isis-ipv6-02 */ #define ISIS_TLV_MT_IP_REACH 235 /* draft-ietf-isis-wg-multi-topology-05 */ #define ISIS_TLV_IP6_REACH 236 /* draft-ietf-isis-ipv6-02 */ #define ISIS_TLV_MT_IP6_REACH 237 /* draft-ietf-isis-wg-multi-topology-05 */ #define ISIS_TLV_PTP_ADJ 240 /* rfc3373 */ #define ISIS_TLV_IIH_SEQNR 241 /* draft-shen-isis-iih-sequence-00 */ +#define ISIS_TLV_IIH_SEQNR_MINLEN 4 #define ISIS_TLV_VENDOR_PRIVATE 250 /* draft-ietf-isis-experimental-tlv-01 */ +#define ISIS_TLV_VENDOR_PRIVATE_MINLEN 3 static struct tok isis_tlv_values[] = { { ISIS_TLV_AREA_ADDR, "Area address(es)"}, @@ -201,12 +209,20 @@ static struct tok esis_option_values[] = { #define CLNP_OPTION_DISCARD_REASON 193 #define CLNP_OPTION_QOS_MAINTENANCE 195 /* iso8473 */ +#define CLNP_OPTION_SECURITY 197 /* iso8473 */ +#define CLNP_OPTION_SOURCE_ROUTING 200 /* iso8473 */ +#define CLNP_OPTION_ROUTE_RECORDING 203 /* iso8473 */ +#define CLNP_OPTION_PADDING 204 /* iso8473 */ #define CLNP_OPTION_PRIORITY 205 /* iso8473 */ static struct tok clnp_option_values[] = { { CLNP_OPTION_DISCARD_REASON, "Discard Reason"}, { CLNP_OPTION_PRIORITY, "Priority"}, { CLNP_OPTION_QOS_MAINTENANCE, "QoS Maintenance"}, + { CLNP_OPTION_SECURITY, "Security"}, + { CLNP_OPTION_SOURCE_ROUTING, "Source Routing"}, + { CLNP_OPTION_ROUTE_RECORDING, "Route Recording"}, + { CLNP_OPTION_PADDING, "Padding"}, { 0, NULL } }; @@ -286,6 +302,40 @@ static struct tok *clnp_option_rfd_error_class[] = { NULL }; +#define CLNP_OPTION_OPTION_QOS_MASK 0x3f +#define CLNP_OPTION_SCOPE_MASK 0xc0 +#define CLNP_OPTION_SCOPE_SA_SPEC 0x40 +#define CLNP_OPTION_SCOPE_DA_SPEC 0x80 +#define CLNP_OPTION_SCOPE_GLOBAL 0xc0 + +static struct tok clnp_option_scope_values[] = { + { CLNP_OPTION_SCOPE_SA_SPEC, "Source Address Specific"}, + { CLNP_OPTION_SCOPE_DA_SPEC, "Destination Address Specific"}, + { CLNP_OPTION_SCOPE_GLOBAL, "Globally unique"}, + { 0, NULL } +}; + +static struct tok clnp_option_sr_rr_values[] = { + { 0x0, "partial"}, + { 0x1, "complete"}, + { 0, NULL } +}; + +static struct tok clnp_option_sr_rr_string_values[] = { + { CLNP_OPTION_SOURCE_ROUTING, "source routing"}, + { CLNP_OPTION_ROUTE_RECORDING, "recording of route in progress"}, + { 0, NULL } +}; + +static struct tok clnp_option_qos_global_values[] = { + { 0x20, "reserved"}, + { 0x10, "sequencing vs. delay"}, + { 0x08, "congested"}, + { 0x04, "delay vs. cost"}, + { 0x02, "error vs. delay"}, + { 0x01, "error vs. cost"}, + { 0, NULL } +}; #define ISIS_SUBTLV_EXT_IS_REACH_ADMIN_GROUP 3 /* draft-ietf-isis-traffic-05 */ #define ISIS_SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID 4 /* draft-ietf-isis-gmpls-extensions */ @@ -294,11 +344,12 @@ static struct tok *clnp_option_rfd_error_class[] = { #define ISIS_SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR 8 /* draft-ietf-isis-traffic-05 */ #define ISIS_SUBTLV_EXT_IS_REACH_MAX_LINK_BW 9 /* draft-ietf-isis-traffic-05 */ #define ISIS_SUBTLV_EXT_IS_REACH_RESERVABLE_BW 10 /* draft-ietf-isis-traffic-05 */ -#define ISIS_SUBTLV_EXT_IS_REACH_UNRESERVED_BW 11 /* draft-ietf-isis-traffic-05 */ -#define ISIS_SUBTLV_EXT_IS_REACH_DIFFSERV_TE 12 /* draft-ietf-tewg-diff-te-proto-06 */ +#define ISIS_SUBTLV_EXT_IS_REACH_UNRESERVED_BW 11 /* rfc4124 */ +#define ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD 12 /* draft-ietf-tewg-diff-te-proto-06 */ #define ISIS_SUBTLV_EXT_IS_REACH_TE_METRIC 18 /* draft-ietf-isis-traffic-05 */ #define ISIS_SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE 20 /* draft-ietf-isis-gmpls-extensions */ #define ISIS_SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR 21 /* draft-ietf-isis-gmpls-extensions */ +#define ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS 22 /* rfc4124 */ static struct tok isis_ext_is_reach_subtlv_values[] = { { ISIS_SUBTLV_EXT_IS_REACH_ADMIN_GROUP, "Administrative groups" }, @@ -309,10 +360,11 @@ static struct tok isis_ext_is_reach_subtlv_values[] = { { ISIS_SUBTLV_EXT_IS_REACH_MAX_LINK_BW, "Maximum link bandwidth" }, { ISIS_SUBTLV_EXT_IS_REACH_RESERVABLE_BW, "Reservable link bandwidth" }, { ISIS_SUBTLV_EXT_IS_REACH_UNRESERVED_BW, "Unreserved bandwidth" }, - { ISIS_SUBTLV_EXT_IS_REACH_DIFFSERV_TE, "Diffserv TE" }, { ISIS_SUBTLV_EXT_IS_REACH_TE_METRIC, "Traffic Engineering Metric" }, { ISIS_SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE, "Link Protection Type" }, { ISIS_SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR, "Interface Switching Capability" }, + { ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD, "Bandwidth Constraints (old)" }, + { ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS, "Bandwidth Constraints" }, { 250, "Reserved for cisco specific extensions" }, { 251, "Reserved for cisco specific extensions" }, { 252, "Reserved for cisco specific extensions" }, @@ -487,6 +539,7 @@ static struct tok isis_is_reach_virtual_values[] = { static struct tok isis_restart_flag_values[] = { { 0x1, "Restart Request"}, { 0x2, "Restart Acknowledgement"}, + { 0x4, "Suppress adjacency advertisement"}, { 0, NULL } }; @@ -586,7 +639,9 @@ void isoclns_print(const u_int8_t *p, u_int length, u_int caplen) break; case NLPID_NULLNS: - (void)printf(", length: %u", length); + (void)printf("%slength: %u", + eflag ? "" : ", ", + length); break; case NLPID_Q933: @@ -610,7 +665,9 @@ void isoclns_print(const u_int8_t *p, u_int length, u_int caplen) default: if (!eflag) printf("OSI NLPID 0x%02x unknown",*p); - (void)printf(", length: %u", length); + (void)printf("%slength: %u", + eflag ? "" : ", ", + length); if (caplen > 1) print_unknown_data(p,"\n\t",caplen); break; @@ -656,7 +713,7 @@ struct clnp_segment_header_t { static int clnp_print (const u_int8_t *pptr, u_int length) { const u_int8_t *optr,*source_address,*dest_address; - u_int li,source_address_length,dest_address_length, clnp_pdu_type, clnp_flags; + u_int li,tlen,nsap_offset,source_address_length,dest_address_length, clnp_pdu_type, clnp_flags; const struct clnp_header_t *clnp_header; const struct clnp_segment_header_t *clnp_segment_header; u_int8_t rfd_error_major,rfd_error_minor; @@ -733,6 +790,7 @@ static int clnp_print (const u_int8_t *pptr, u_int length) if (clnp_flags & CLNP_SEGMENT_PART) { clnp_segment_header = (const struct clnp_segment_header_t *) pptr; + TCHECK(*clnp_segment_header); printf("\n\tData Unit ID: 0x%04x, Segment Offset: %u, Total PDU Length: %u", EXTRACT_16BITS(clnp_segment_header->data_unit_id), EXTRACT_16BITS(clnp_segment_header->segment_offset), @@ -746,8 +804,7 @@ static int clnp_print (const u_int8_t *pptr, u_int length) u_int op, opli; const u_int8_t *tptr; - if (snapend - pptr < 2) - return (0); + TCHECK2(*pptr, 2); if (li < 2) { printf(", bad opts/li"); return (0); @@ -755,15 +812,14 @@ static int clnp_print (const u_int8_t *pptr, u_int length) op = *pptr++; opli = *pptr++; li -= 2; + TCHECK2(*pptr, opli); if (opli > li) { printf(", opt (%d) too long", op); return (0); } li -= opli; tptr = pptr; - - if (snapend < pptr) - return(0); + tlen = opli; printf("\n\t %s Option #%u, length %u, value: ", tok2str(clnp_option_values,"Unknown",op), @@ -772,9 +828,61 @@ static int clnp_print (const u_int8_t *pptr, u_int length) switch (op) { + + case CLNP_OPTION_ROUTE_RECORDING: /* those two options share the format */ + case CLNP_OPTION_SOURCE_ROUTING: + printf("%s %s", + tok2str(clnp_option_sr_rr_values,"Unknown",*tptr), + tok2str(clnp_option_sr_rr_string_values,"Unknown Option %u",op)); + nsap_offset=*(tptr+1); + if (nsap_offset == 0) { + printf(" Bad NSAP offset (0)"); + break; + } + nsap_offset-=1; /* offset to nsap list */ + if (nsap_offset > tlen) { + printf(" Bad NSAP offset (past end of option)"); + break; + } + tptr+=nsap_offset; + tlen-=nsap_offset; + while (tlen > 0) { + source_address_length=*tptr; + if (tlen < source_address_length+1) { + printf("\n\t NSAP address goes past end of option"); + break; + } + if (source_address_length > 0) { + source_address=(tptr+1); + TCHECK2(*source_address, source_address_length); + printf("\n\t NSAP address (length %u): %s", + source_address_length, + isonsap_string(source_address, source_address_length)); + } + tlen-=source_address_length+1; + } + break; + case CLNP_OPTION_PRIORITY: - printf("%u", *tptr); - break; + printf("0x%1x", *tptr&0x0f); + break; + + case CLNP_OPTION_QOS_MAINTENANCE: + printf("\n\t Format Code: %s", + tok2str(clnp_option_scope_values,"Reserved",*tptr&CLNP_OPTION_SCOPE_MASK)); + + if ((*tptr&CLNP_OPTION_SCOPE_MASK) == CLNP_OPTION_SCOPE_GLOBAL) + printf("\n\t QoS Flags [%s]", + bittok2str(clnp_option_qos_global_values, + "none", + *tptr&CLNP_OPTION_OPTION_QOS_MASK)); + break; + + case CLNP_OPTION_SECURITY: + printf("\n\t Format Code: %s, Security-Level %u", + tok2str(clnp_option_scope_values,"Reserved",*tptr&CLNP_OPTION_SCOPE_MASK), + *(tptr+1)); + break; case CLNP_OPTION_DISCARD_REASON: rfd_error_major = (*tptr&0xf0) >> 4; @@ -786,6 +894,10 @@ static int clnp_print (const u_int8_t *pptr, u_int length) rfd_error_minor); break; + case CLNP_OPTION_PADDING: + printf("padding data"); + break; + /* * FIXME those are the defined Options that lack a decoder * you are welcome to contribute code ;-) @@ -804,6 +916,7 @@ static int clnp_print (const u_int8_t *pptr, u_int length) case CLNP_PDU_ER: /* fall through */ case CLNP_PDU_ERP: + TCHECK(*pptr); if (*(pptr) == NLPID_CLNP) { printf("\n\t-----original packet-----\n\t"); /* FIXME recursion protection */ @@ -1296,9 +1409,9 @@ trunctlv: */ static int -isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *ident) { +isis_print_is_reach_subtlv (const u_int8_t *tptr,u_int subt,u_int subl,const char *ident) { - int priority_level,bandwidth_constraint; + u_int te_class,priority_level; union { /* int to float conversion buffer for several subTLVs */ float f; u_int32_t i; @@ -1328,7 +1441,7 @@ isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *i break; case ISIS_SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR: case ISIS_SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR: - if (subl >= 4) + if (subl >= sizeof(struct in_addr)) printf(", %s", ipaddr_string(tptr)); break; case ISIS_SUBTLV_EXT_IS_REACH_MAX_LINK_BW : @@ -1340,28 +1453,29 @@ isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *i break; case ISIS_SUBTLV_EXT_IS_REACH_UNRESERVED_BW : if (subl >= 32) { - for (priority_level = 0; priority_level < 8; priority_level++) { + for (te_class = 0; te_class < 8; te_class++) { bw.i = EXTRACT_32BITS(tptr); - printf("%s priority level %d: %.3f Mbps", + printf("%s TE-Class %u: %.3f Mbps", ident, - priority_level, + te_class, bw.f*8/1000000 ); tptr+=4; } } break; - case ISIS_SUBTLV_EXT_IS_REACH_DIFFSERV_TE: + case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */ + case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD: printf("%sBandwidth Constraints Model ID: %s (%u)", ident, tok2str(diffserv_te_bc_values, "unknown", *tptr), *tptr); tptr++; /* decode BCs until the subTLV ends */ - for (bandwidth_constraint = 0; bandwidth_constraint < (subl-1)/4; bandwidth_constraint++) { + for (te_class = 0; te_class < (subl-1)/4; te_class++) { bw.i = EXTRACT_32BITS(tptr); - printf("%s Bandwidth constraint %d: %.3f Mbps", + printf("%s Bandwidth constraint CT%u: %.3f Mbps", ident, - bandwidth_constraint, + te_class, bw.f*8/1000000 ); tptr+=4; } @@ -1399,7 +1513,7 @@ isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *i not specified so just lets hexdump what is left */ if(subl>0){ if(!print_unknown_data(tptr,"\n\t\t ", - subl-36)) + subl)) return(0); } } @@ -1502,7 +1616,11 @@ static int isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) { char ident_buffer[20]; - u_int8_t prefix[16]; /* shared copy buffer for IPv4 and IPv6 prefixes */ +#ifdef INET6 + u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */ +#else + u_int8_t prefix[sizeof(struct in_addr)]; /* shared copy buffer for IPv4 prefixes */ +#endif u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen; if (!TTEST2(*tptr, 4)) @@ -1516,6 +1634,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi return (0); status_byte=*(tptr++); bit_length = status_byte&0x3f; + if (bit_length > 32) { + printf("%sIPv4 prefix: bad bit length %u", + ident, + bit_length); + return (0); + } processed++; #ifdef INET6 } else if (afi == IPV6) { @@ -1523,6 +1647,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi return (0); status_byte=*(tptr++); bit_length=*(tptr++); + if (bit_length > 128) { + printf("%sIPv6 prefix: bad bit length %u", + ident, + bit_length); + return (0); + } processed+=2; #endif } else @@ -1532,7 +1662,7 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi if (!TTEST2(*tptr, byte_length)) return (0); - memset(prefix, 0, 16); /* clear the copy buffer */ + memset(prefix, 0, sizeof prefix); /* clear the copy buffer */ memcpy(prefix,tptr,byte_length); /* copy as much as is stored in the TLV */ tptr+=byte_length; processed+=byte_length; @@ -2160,15 +2290,15 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_IP6ADDR: - while (tmp>0) { - if (!TTEST2(*tptr, 16)) + while (tmp>=sizeof(struct in6_addr)) { + if (!TTEST2(*tptr, sizeof(struct in6_addr))) goto trunctlv; printf("\n\t IPv6 interface address: %s", ip6addr_string(tptr)); - tptr += 16; - tmp -= 16; + tptr += sizeof(struct in6_addr); + tmp -= sizeof(struct in6_addr); } break; #endif @@ -2258,18 +2388,18 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_TE_ROUTER_ID: - if (!TTEST2(*pptr, 4)) + if (!TTEST2(*pptr, sizeof(struct in_addr))) goto trunctlv; printf("\n\t Traffic Engineering Router ID: %s", ipaddr_string(pptr)); break; case ISIS_TLV_IPADDR: - while (tmp>0) { - if (!TTEST2(*tptr, 4)) + while (tmp>=sizeof(struct in_addr)) { + if (!TTEST2(*tptr, sizeof(struct in_addr))) goto trunctlv; printf("\n\t IPv4 interface address: %s", ipaddr_string(tptr)); - tptr += 4; - tmp -= 4; + tptr += sizeof(struct in_addr); + tmp -= sizeof(struct in_addr); } break; @@ -2284,30 +2414,38 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_SHARED_RISK_GROUP: + if (tmp < NODE_ID_LEN) + break; if (!TTEST2(*tptr, NODE_ID_LEN)) goto trunctlv; printf("\n\t IS Neighbor: %s", isis_print_id(tptr, NODE_ID_LEN)); tptr+=(NODE_ID_LEN); tmp-=(NODE_ID_LEN); + if (tmp < 1) + break; if (!TTEST2(*tptr, 1)) goto trunctlv; printf(", Flags: [%s]", ISIS_MASK_TLV_SHARED_RISK_GROUP(*tptr++) ? "numbered" : "unnumbered"); tmp--; - if (!TTEST2(*tptr,4)) + if (tmp < sizeof(struct in_addr)) + break; + if (!TTEST2(*tptr,sizeof(struct in_addr))) goto trunctlv; printf("\n\t IPv4 interface address: %s", ipaddr_string(tptr)); - tptr+=4; - tmp-=4; + tptr+=sizeof(struct in_addr); + tmp-=sizeof(struct in_addr); - if (!TTEST2(*tptr,4)) + if (tmp < sizeof(struct in_addr)) + break; + if (!TTEST2(*tptr,sizeof(struct in_addr))) goto trunctlv; printf("\n\t IPv4 neighbor address: %s", ipaddr_string(tptr)); - tptr+=4; - tmp-=4; + tptr+=sizeof(struct in_addr); + tmp-=sizeof(struct in_addr); - while (tmp>0) { + while (tmp>=4) { if (!TTEST2(*tptr, 4)) goto trunctlv; printf("\n\t Link-ID: 0x%08x", EXTRACT_32BITS(tptr)); @@ -2318,7 +2456,7 @@ static int isis_print (const u_int8_t *p, u_int length) case ISIS_TLV_LSP: tlv_lsp = (const struct isis_tlv_lsp *)tptr; - while(tmp>0) { + while(tmp>=sizeof(struct isis_tlv_lsp)) { if (!TTEST((tlv_lsp->lsp_id)[LSP_ID_LEN-1])) goto trunctlv; printf("\n\t lsp-id: %s", @@ -2338,7 +2476,9 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_CHECKSUM: - if (!TTEST2(*tptr, 2)) + if (tmp < ISIS_TLV_CHECKSUM_MINLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_CHECKSUM_MINLEN)) goto trunctlv; printf("\n\t checksum: 0x%04x ", EXTRACT_16BITS(tptr)); /* do not attempt to verify the checksum if it is zero @@ -2352,6 +2492,8 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_MT_SUPPORTED: + if (tmp < ISIS_TLV_MT_SUPPORTED_MINLEN) + break; while (tmp>1) { /* length can only be a multiple of 2, otherwise there is something broken -> so decode down until length is 1 */ @@ -2369,16 +2511,41 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_RESTART_SIGNALING: - if (!TTEST2(*tptr, 3)) + /* first attempt to decode the flags */ + if (tmp < ISIS_TLV_RESTART_SIGNALING_FLAGLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_RESTART_SIGNALING_FLAGLEN)) goto trunctlv; - printf("\n\t Flags [%s], Remaining holding time %us", - bittok2str(isis_restart_flag_values, "none", *tptr), - EXTRACT_16BITS(tptr+1)); - tptr+=3; + printf("\n\t Flags [%s]", + bittok2str(isis_restart_flag_values, "none", *tptr)); + tptr+=ISIS_TLV_RESTART_SIGNALING_FLAGLEN; + tmp-=ISIS_TLV_RESTART_SIGNALING_FLAGLEN; + + /* is there anything other than the flags field? */ + if (tmp == 0) + break; + + if (tmp < ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN)) + goto trunctlv; + + printf(", Remaining holding time %us", EXTRACT_16BITS(tptr+1)); + tptr+=ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN; + tmp-=ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN; + + /* is there an additional sysid field present ?*/ + if (tmp == SYSTEM_ID_LEN) { + if (!TTEST2(*tptr, SYSTEM_ID_LEN)) + goto trunctlv; + printf(", for %s",isis_print_id(tptr,SYSTEM_ID_LEN)); + } break; case ISIS_TLV_IDRP_INFO: - if (!TTEST2(*tptr, 1)) + if (tmp < ISIS_TLV_IDRP_INFO_MINLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_IDRP_INFO_MINLEN)) goto trunctlv; printf("\n\t Inter-Domain Information Type: %s", tok2str(isis_subtlv_idrp_values, @@ -2400,7 +2567,9 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_LSP_BUFFERSIZE: - if (!TTEST2(*tptr, 2)) + if (tmp < ISIS_TLV_LSP_BUFFERSIZE_MINLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_LSP_BUFFERSIZE_MINLEN)) goto trunctlv; printf("\n\t LSP Buffersize: %u",EXTRACT_16BITS(tptr)); break; @@ -2416,6 +2585,8 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_PREFIX_NEIGH: + if (tmp < sizeof(struct isis_metric_block)) + break; if (!TTEST2(*tptr, sizeof(struct isis_metric_block))) goto trunctlv; printf("\n\t Metric Block"); @@ -2432,6 +2603,8 @@ static int isis_print (const u_int8_t *p, u_int length) break; } tmp--; + if (tmp < prefix_len/2) + break; if (!TTEST2(*tptr, prefix_len/2)) goto trunctlv; printf("\n\t\tAddress: %s/%u", @@ -2443,13 +2616,17 @@ static int isis_print (const u_int8_t *p, u_int length) break; case ISIS_TLV_IIH_SEQNR: - if (!TTEST2(*tptr, 4)) /* check if four bytes are on the wire */ + if (tmp < ISIS_TLV_IIH_SEQNR_MINLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_IIH_SEQNR_MINLEN)) /* check if four bytes are on the wire */ goto trunctlv; printf("\n\t Sequence number: %u", EXTRACT_32BITS(tptr) ); break; case ISIS_TLV_VENDOR_PRIVATE: - if (!TTEST2(*tptr, 3)) /* check if enough byte for a full oui */ + if (tmp < ISIS_TLV_VENDOR_PRIVATE_MINLEN) + break; + if (!TTEST2(*tptr, ISIS_TLV_VENDOR_PRIVATE_MINLEN)) /* check if enough byte for a full oui */ goto trunctlv; vendor_id = EXTRACT_24BITS(tptr); printf("\n\t Vendor: %s (%u)",