X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/a5f2f0c289d3c40a17d0eea87fa5cddb55ce0749..cd6afeab95d0a1eaf9fb2f88122575bbed1fba6e:/print-isoclns.c

diff --git a/print-isoclns.c b/print-isoclns.c
index 434c0a22..a0f10cbe 100644
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -26,7 +26,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.133.2.17 2005-09-05 11:16:25 hannes Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.133.2.21 2005-11-12 22:23:23 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -345,6 +345,7 @@ static struct tok clnp_option_qos_global_values[] = {
 #define ISIS_SUBTLV_EXT_IS_REACH_MAX_LINK_BW           9 /* draft-ietf-isis-traffic-05 */
 #define ISIS_SUBTLV_EXT_IS_REACH_RESERVABLE_BW        10 /* draft-ietf-isis-traffic-05 */
 #define ISIS_SUBTLV_EXT_IS_REACH_UNRESERVED_BW        11 /* rfc4124 */
+#define ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD   12 /* draft-ietf-tewg-diff-te-proto-06 */
 #define ISIS_SUBTLV_EXT_IS_REACH_TE_METRIC            18 /* draft-ietf-isis-traffic-05 */
 #define ISIS_SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE 20 /* draft-ietf-isis-gmpls-extensions */
 #define ISIS_SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR    21 /* draft-ietf-isis-gmpls-extensions */
@@ -362,6 +363,7 @@ static struct tok isis_ext_is_reach_subtlv_values[] = {
     { ISIS_SUBTLV_EXT_IS_REACH_TE_METRIC,              "Traffic Engineering Metric" },
     { ISIS_SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE,   "Link Protection Type" },
     { ISIS_SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR,      "Interface Switching Capability" },
+    { ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD,     "Bandwidth Constraints (old)" },
     { ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS,         "Bandwidth Constraints" },
     { 250,                                             "Reserved for cisco specific extensions" },
     { 251,                                             "Reserved for cisco specific extensions" },
@@ -1461,7 +1463,8 @@ isis_print_is_reach_subtlv (const u_int8_t *tptr,u_int subt,u_int subl,const cha
 	      }
             }
             break;
-        case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS:
+        case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS: /* fall through */
+        case ISIS_SUBTLV_EXT_IS_REACH_BW_CONSTRAINTS_OLD:
             printf("%sBandwidth Constraints Model ID: %s (%u)",
                    ident,
                    tok2str(diffserv_te_bc_values, "unknown", *tptr),
@@ -1613,7 +1616,11 @@ static int
 isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) {
 
     char ident_buffer[20];
+#ifdef INET6
     u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */
+#else
+    u_int8_t prefix[sizeof(struct in_addr)]; /* shared copy buffer for IPv4 prefixes */
+#endif
     u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen;
 
     if (!TTEST2(*tptr, 4))
@@ -1627,6 +1634,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
             return (0);
         status_byte=*(tptr++);
         bit_length = status_byte&0x3f;
+        if (bit_length > 32) {
+            printf("%sIPv4 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }
         processed++;
 #ifdef INET6
     } else if (afi == IPV6) {
@@ -1634,6 +1647,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
             return (0);
         status_byte=*(tptr++);
         bit_length=*(tptr++);
+        if (bit_length > 128) {
+            printf("%sIPv6 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }
         processed+=2;
 #endif
     } else
@@ -1643,7 +1662,7 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
    
     if (!TTEST2(*tptr, byte_length))
         return (0);
-    memset(prefix, 0, sizeof(struct in6_addr));              /* clear the copy buffer */
+    memset(prefix, 0, sizeof prefix);   /* clear the copy buffer */
     memcpy(prefix,tptr,byte_length);    /* copy as much as is stored in the TLV */
     tptr+=byte_length;
     processed+=byte_length;
@@ -2493,22 +2512,27 @@ static int isis_print (const u_int8_t *p, u_int length)
 
 	case ISIS_TLV_RESTART_SIGNALING:
             /* first attempt to decode the flags */
+            if (tmp < ISIS_TLV_RESTART_SIGNALING_FLAGLEN)
+                break;
             if (!TTEST2(*tptr, ISIS_TLV_RESTART_SIGNALING_FLAGLEN))
                 goto trunctlv;
             printf("\n\t      Flags [%s]",
                    bittok2str(isis_restart_flag_values, "none", *tptr));
-	    tptr+=1;
-            tmp-=1;
+            tptr+=ISIS_TLV_RESTART_SIGNALING_FLAGLEN;
+            tmp-=ISIS_TLV_RESTART_SIGNALING_FLAGLEN;
 
-            /* is there an additional remaining holdtime */
-            if (tmp >= ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN) {
-                    if (!TTEST2(*tptr, ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN))
-                            goto trunctlv;
+            /* is there anything other than the flags field? */
+            if (tmp == 0)
+                break;
 
-                    printf(", Remaining holding time %us", EXTRACT_16BITS(tptr+1));
-                    tptr+=2;
-                    tmp-=2;
-            }
+            if (tmp < ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN)
+                break;
+            if (!TTEST2(*tptr, ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN))
+                goto trunctlv;
+
+            printf(", Remaining holding time %us", EXTRACT_16BITS(tptr+1));
+            tptr+=ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN;
+            tmp-=ISIS_TLV_RESTART_SIGNALING_HOLDTIMELEN;
 
             /* is there an additional sysid field present ?*/
             if (tmp == SYSTEM_ID_LEN) {