X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/6bc44295cfbe1f7b6633c755841518f4b159aa8a..6c8ef0eb86a39c277d1a43802dd8ea01b51cfb2a:/print-fr.c

diff --git a/print-fr.c b/print-fr.c
index 9c97bcb4..8a1a53a4 100644
--- a/print-fr.c
+++ b/print-fr.c
@@ -276,7 +276,7 @@ fr_print(netdissect_options *ndo,
                         if (ethertype_print(ndo, extracted_ethertype,
                                             p+addr_len+ETHERTYPE_LEN,
                                             length-addr_len-ETHERTYPE_LEN,
-                                            length-addr_len-ETHERTYPE_LEN,
+                                            ndo->ndo_snapend-p-addr_len-ETHERTYPE_LEN,
                                             NULL, NULL) == 0)
                                 /* ether_type not known, probably it wasn't one */
                                 ND_PRINT((ndo, "UI %02x! ", p[addr_len]));
@@ -329,11 +329,11 @@ fr_print(netdissect_options *ndo,
 	case NLPID_CLNP:
 	case NLPID_ESIS:
 	case NLPID_ISIS:
-		isoclns_print(ndo, p - 1, length + 1, length + 1); /* OSI printers need the NLPID field */
+		isoclns_print(ndo, p - 1, length + 1); /* OSI printers need the NLPID field */
 		break;
 
 	case NLPID_SNAP:
-		if (snap_print(ndo, p, length, length, NULL, NULL, 0) == 0) {
+		if (snap_print(ndo, p, length, ndo->ndo_snapend - p, NULL, NULL, 0) == 0) {
 			/* ether_type not known, print raw packet */
                         if (!ndo->ndo_eflag)
                             fr_hdr_print(ndo, length + hdr_len, hdr_len,
@@ -457,6 +457,10 @@ mfr_print(netdissect_options *ndo,
  */
 
     ND_TCHECK2(*p, 4); /* minimum frame header length */
+    if (length < 4) {
+        ND_PRINT((ndo, "Message too short (%u bytes)", length));
+        return length;
+    }
 
     if ((p[0] & MFR_BEC_MASK) == MFR_CTRL_FRAME && p[1] == 0) {
         ND_PRINT((ndo, "FRF.16 Control, Flags [%s], %s, length %u",
@@ -493,6 +497,11 @@ mfr_print(netdissect_options *ndo,
             switch (ie_type) {
 
             case MFR_CTRL_IE_MAGIC_NUM:
+                /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+                if (ie_len != 4) {
+                    ND_PRINT((ndo, "(invalid length)"));
+                    break;
+                }
                 ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
                 break;
 
@@ -906,6 +915,7 @@ q933_print(netdissect_options *ndo,
 	ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset));
 
 	if (call_ref_length != 0) {
+		ND_TCHECK(p[0]);
 		if (call_ref_length > 1 || p[0] != 0) {
 			/*
 			 * Not a dummy call reference.