X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/77523329c37b1954e366b3b205fcb69bec63f59a..e30f67df758ebe32d49b368b22423f093ab96e26:/print-icmp.c

diff --git a/print-icmp.c b/print-icmp.c
index 62429b5e..862b095a 100644
--- a/print-icmp.c
+++ b/print-icmp.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-icmp.c,v 1.79 2004-06-15 07:43:03 hannes Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-icmp.c,v 1.81 2005-04-06 21:32:40 mcr Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -527,11 +527,12 @@ icmp_print(const u_char *bp, u_int plen, const u_char *bp2, int fragmented)
 		(void)printf("\n\t");
 		ip = (struct ip *)bp;
 		snaplen = snapend - bp;
-		ip_print(bp, EXTRACT_16BITS(&ip->ip_len));
+		ip_print(gndo, bp, EXTRACT_16BITS(&ip->ip_len));
 	}
 
         if (vflag >= 1 && plen > ICMP_EXTD_MINLEN && ICMP_MPLS_EXT_TYPE(dp->icmp_type)) {
 
+            TCHECK(*(dp->icmp_mpls_ext_version));
             printf("\n\tMPLS extension v%u",ICMP_MPLS_EXT_EXTRACT_VERSION(*(dp->icmp_mpls_ext_version)));
             
             /*
@@ -543,6 +544,7 @@ icmp_print(const u_char *bp, u_int plen, const u_char *bp2, int fragmented)
             }
 
             hlen = plen - ICMP_EXTD_MINLEN;
+            TCHECK2(*(dp->icmp_mpls_ext_checksum), 2);
             printf(", checksum 0x%04x (unverified), length %u", /* FIXME */
                    EXTRACT_16BITS(dp->icmp_mpls_ext_checksum),
                    hlen);
@@ -553,6 +555,7 @@ icmp_print(const u_char *bp, u_int plen, const u_char *bp2, int fragmented)
             while (hlen > sizeof(struct icmp_mpls_ext_object_header_t)) {
 
                 icmp_mpls_ext_object_header = (struct icmp_mpls_ext_object_header_t *)obj_tptr;
+                TCHECK(*icmp_mpls_ext_object_header);
                 obj_tlen = EXTRACT_16BITS(icmp_mpls_ext_object_header->length);
                 obj_class_num = icmp_mpls_ext_object_header->class_num;
                 obj_ctype = icmp_mpls_ext_object_header->ctype;
@@ -565,12 +568,15 @@ icmp_print(const u_char *bp, u_int plen, const u_char *bp2, int fragmented)
                        obj_tlen);
 
                 hlen-=sizeof(struct icmp_mpls_ext_object_header_t); /* length field includes tlv header */
-                obj_tlen-=sizeof(struct icmp_mpls_ext_object_header_t); 
+                if (obj_tlen < sizeof(struct icmp_mpls_ext_object_header_t))
+                    break;
+                obj_tlen-=sizeof(struct icmp_mpls_ext_object_header_t);
 
                 switch (obj_class_num) {
                 case 1:
                     switch(obj_ctype) {
                     case 1:
+                        TCHECK2(*obj_tptr, 4);
                         raw_label = EXTRACT_32BITS(obj_tptr);
                         printf("\n\t    label %u, exp %u", MPLS_LABEL(raw_label), MPLS_EXP(raw_label));
                         if (MPLS_STACK(raw_label))
@@ -591,6 +597,8 @@ icmp_print(const u_char *bp, u_int plen, const u_char *bp2, int fragmented)
                     print_unknown_data(obj_tptr, "\n\t    ", obj_tlen);
                     break;
                 }
+                if (hlen < obj_tlen)
+                    break;
                 hlen -= obj_tlen;
                 obj_tptr += obj_tlen;
             }