X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/99c91c3aec40b691641374f58e798bd8d6b657bd..refs/heads/tcpdump-4.9:/print-egp.c

diff --git a/print-egp.c b/print-egp.c
index e87d0d66..8fba9ce7 100644
--- a/print-egp.c
+++ b/print-egp.c
@@ -18,6 +18,8 @@
  * Initial contribution from Jeff Honig (jch@MITCHELL.CIT.CORNELL.EDU).
  */
 
+/* \summary: Exterior Gateway Protocol (EGP) printer */
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -127,7 +129,7 @@ static const char *egp_reasons[] = {
 
 static void
 egpnrprint(netdissect_options *ndo,
-           register const struct egp_packet *egp)
+           register const struct egp_packet *egp, u_int length)
 {
 	register const uint8_t *cp;
 	uint32_t addr;
@@ -152,11 +154,14 @@ egpnrprint(netdissect_options *ndo,
 		netlen = 0;
 	}
 	cp = (const uint8_t *)(egp + 1);
+	length -= sizeof(*egp);
 
 	t_gateways = egp->egp_intgw + egp->egp_extgw;
 	for (gateways = 0; gateways < t_gateways; ++gateways) {
 		/* Pickup host part of gateway address */
 		addr = 0;
+		if (length < 4 - netlen)
+			goto trunc;
 		ND_TCHECK2(cp[0], 4 - netlen);
 		switch (netlen) {
 
@@ -170,8 +175,12 @@ egpnrprint(netdissect_options *ndo,
 			addr = (addr << 8) | *cp++;
 		}
 		addr |= net;
+		length -= 4 - netlen;
+		if (length < 1)
+			goto trunc;
 		ND_TCHECK2(cp[0], 1);
 		distances = *cp++;
+		length--;
 		ND_PRINT((ndo, " %s %s ",
 		       gateways < (int)egp->egp_intgw ? "int" : "ext",
 		       ipaddr_string(ndo, &addr)));
@@ -179,21 +188,33 @@ egpnrprint(netdissect_options *ndo,
 		comma = "";
 		ND_PRINT((ndo, "("));
 		while (--distances >= 0) {
+			if (length < 2)
+				goto trunc;
 			ND_TCHECK2(cp[0], 2);
 			ND_PRINT((ndo, "%sd%d:", comma, (int)*cp++));
 			comma = ", ";
 			networks = *cp++;
+			length -= 2;
 			while (--networks >= 0) {
 				/* Pickup network number */
+				if (length < 1)
+					goto trunc;
 				ND_TCHECK2(cp[0], 1);
 				addr = (uint32_t)*cp++ << 24;
+				length--;
 				if (IN_CLASSB(addr)) {
+					if (length < 1)
+						goto trunc;
 					ND_TCHECK2(cp[0], 1);
 					addr |= (uint32_t)*cp++ << 16;
+					length--;
 				} else if (!IN_CLASSA(addr)) {
+					if (length < 2)
+						goto trunc;
 					ND_TCHECK2(cp[0], 2);
 					addr |= (uint32_t)*cp++ << 16;
 					addr |= (uint32_t)*cp++ << 8;
+					length -= 2;
 				}
 				ND_PRINT((ndo, " %s", ipaddr_string(ndo, &addr)));
 			}
@@ -215,7 +236,7 @@ egp_print(netdissect_options *ndo,
 	register int type;
 
 	egp = (const struct egp_packet *)bp;
-        if (!ND_TTEST2(*egp, length)) {
+	if (length < sizeof(*egp) || !ND_TTEST(*egp)) {
 		ND_PRINT((ndo, "[|egp]"));
 		return;
 	}
@@ -332,7 +353,7 @@ egp_print(netdissect_options *ndo,
 		       egp->egp_intgw,
 		       egp->egp_extgw));
 		if (ndo->ndo_vflag)
-			egpnrprint(ndo, egp);
+			egpnrprint(ndo, egp, length);
 		break;
 
 	case EGPT_ERROR: