X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/b38f324af9dd953a661b9f35910f8c6d8eb2cc06..195a4cfd9de46b47ac6794930e19e38ed263b05f:/print-vqp.c

diff --git a/print-vqp.c b/print-vqp.c
index 44a21935..ebc25fc9 100644
--- a/print-vqp.c
+++ b/print-vqp.c
@@ -97,7 +97,7 @@ static const struct tok vqp_obj_values[] = {
 };
 
 void
-vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int len)
+vqp_print(netdissect_options *ndo, const u_char *pptr, u_int len)
 {
     const struct vqp_common_header_t *vqp_common_header;
     const struct vqp_obj_tlv_t *vqp_obj_tlv;
@@ -105,13 +105,15 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
     const u_char *tptr;
     uint16_t vqp_obj_len;
     uint32_t vqp_obj_type;
-    int tlen;
+    u_int tlen;
     uint8_t nitems;
 
     tptr=pptr;
     tlen = len;
     vqp_common_header = (const struct vqp_common_header_t *)pptr;
     ND_TCHECK(*vqp_common_header);
+    if (sizeof(struct vqp_common_header_t) > tlen)
+        goto trunc;
 
     /*
      * Sanity checking of the header.
@@ -140,19 +142,22 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
 	   tok2str(vqp_msg_type_values, "unknown (%u)",vqp_common_header->msg_type),
 	   tok2str(vqp_error_code_values, "unknown (%u)",vqp_common_header->error_code),
 	   vqp_common_header->error_code,
-           EXTRACT_32BITS(&vqp_common_header->sequence),
+           EXTRACT_BE_U_4(&vqp_common_header->sequence),
            nitems,
            len));
 
     /* skip VQP Common header */
-    tptr+=sizeof(const struct vqp_common_header_t);
-    tlen-=sizeof(const struct vqp_common_header_t);
+    tptr+=sizeof(struct vqp_common_header_t);
+    tlen-=sizeof(struct vqp_common_header_t);
 
     while (nitems > 0 && tlen > 0) {
 
         vqp_obj_tlv = (const struct vqp_obj_tlv_t *)tptr;
-        vqp_obj_type = EXTRACT_32BITS(vqp_obj_tlv->obj_type);
-        vqp_obj_len = EXTRACT_16BITS(vqp_obj_tlv->obj_length);
+        ND_TCHECK(*vqp_obj_tlv);
+        if (sizeof(struct vqp_obj_tlv_t) > tlen)
+            goto trunc;
+        vqp_obj_type = EXTRACT_BE_U_4(vqp_obj_tlv->obj_type);
+        vqp_obj_len = EXTRACT_BE_U_2(vqp_obj_tlv->obj_length);
         tptr+=sizeof(struct vqp_obj_tlv_t);
         tlen-=sizeof(struct vqp_obj_tlv_t);
 
@@ -166,11 +171,15 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
         }
 
         /* did we capture enough for fully decoding the object ? */
-        ND_TCHECK2(*tptr, vqp_obj_len);
+        ND_TCHECK_LEN(tptr, vqp_obj_len);
+        if (vqp_obj_len > tlen)
+            goto trunc;
 
         switch(vqp_obj_type) {
 	case VQP_OBJ_IP_ADDRESS:
-            ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr)));
+            if (vqp_obj_len != 4)
+                goto trunc;
+            ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_BE_U_4(tptr)));
             break;
             /* those objects have similar semantics - fall through */
         case VQP_OBJ_PORT_NAME:
@@ -182,6 +191,8 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
             /* those objects have similar semantics - fall through */
 	case VQP_OBJ_MAC_ADDRESS:
 	case VQP_OBJ_MAC_NULL:
+            if (vqp_obj_len != MAC_ADDR_LEN)
+                goto trunc;
 	      ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr)));
               break;
         default: