X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/89789e51d5885c520ead7459440198c6fbcefc01..3d6e7bd1e42a7316fb2020348a8d3e86b1346b36:/print-eap.c

diff --git a/print-eap.c b/print-eap.c
index 125e1ee1..d76aea33 100644
--- a/print-eap.c
+++ b/print-eap.c
@@ -182,7 +182,9 @@ eap_print(netdissect_options *ndo,
 
     switch (eap->type) {
     case EAP_FRAME_TYPE_PACKET:
+        ND_TCHECK_8BITS(tptr);
         type = *(tptr);
+        ND_TCHECK_16BITS(tptr+2);
         len = EXTRACT_16BITS(tptr+2);
         ND_PRINT((ndo, ", %s (%u), id %u, len %u",
                tok2str(eap_code_values, "unknown", type),
@@ -193,10 +195,11 @@ eap_print(netdissect_options *ndo,
         ND_TCHECK2(*tptr, len);
 
         if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */
+            ND_TCHECK_8BITS(tptr+4);
             subtype = *(tptr+4);
             ND_PRINT((ndo, "\n\t\t Type %s (%u)",
-                   tok2str(eap_type_values, "unknown", *(tptr+4)),
-                   *(tptr + 4)));
+                   tok2str(eap_type_values, "unknown", subtype),
+                   subtype));
 
             switch (subtype) {
             case EAP_TYPE_IDENTITY:
@@ -222,6 +225,7 @@ eap_print(netdissect_options *ndo,
                  * type one octet per type
                  */
                 while (count < len) {
+                    ND_TCHECK_8BITS(tptr+count);
                     ND_PRINT((ndo, " %s (%u),",
                            tok2str(eap_type_values, "unknown", *(tptr+count)),
                            *(tptr + count)));
@@ -230,19 +234,23 @@ eap_print(netdissect_options *ndo,
                 break;
 
             case EAP_TYPE_TTLS:
-                ND_PRINT((ndo, " TTLSv%u",
-                       EAP_TTLS_VERSION(*(tptr + 5)))); /* fall through */
             case EAP_TYPE_TLS:
+                ND_TCHECK_8BITS(tptr + 5);
+                if (subtype == EAP_TYPE_TTLS)
+                    ND_PRINT((ndo, " TTLSv%u",
+                           EAP_TTLS_VERSION(*(tptr + 5))));
                 ND_PRINT((ndo, " flags [%s] 0x%02x,",
                        bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
                        *(tptr + 5)));
 
                 if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
+                    ND_TCHECK_32BITS(tptr + 6);
 		    ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
                 }
                 break;
 
             case EAP_TYPE_FAST:
+                ND_TCHECK_8BITS(tptr + 5);
                 ND_PRINT((ndo, " FASTv%u",
                        EAP_TTLS_VERSION(*(tptr + 5))));
                 ND_PRINT((ndo, " flags [%s] 0x%02x,",
@@ -250,6 +258,7 @@ eap_print(netdissect_options *ndo,
                        *(tptr + 5)));
 
                 if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
+                    ND_TCHECK_32BITS(tptr + 6);
                     ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
                 }
 
@@ -258,6 +267,7 @@ eap_print(netdissect_options *ndo,
 
             case EAP_TYPE_AKA:
             case EAP_TYPE_SIM:
+                ND_TCHECK_8BITS(tptr + 5);
                 ND_PRINT((ndo, " subtype [%s] 0x%02x,",
                        tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)),
                        *(tptr + 5)));