X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/bbedebc666a341d8e14922dce37a92766400c798..beec87b5164e97349d50cb93c02dc7f05dfa3a03:/print-mobility.c

diff --git a/print-mobility.c b/print-mobility.c
index 9dfb6eb2..b6fa61e9 100644
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -42,14 +42,14 @@
 
 /* Mobility header */
 struct ip6_mobility {
-	u_int8_t ip6m_pproto;	/* following payload protocol (for PG) */
-	u_int8_t ip6m_len;	/* length in units of 8 octets */
-	u_int8_t ip6m_type;	/* message type */
-	u_int8_t reserved;	/* reserved */
-	u_int16_t ip6m_cksum;	/* sum of IPv6 pseudo-header and MH */
+	uint8_t ip6m_pproto;	/* following payload protocol (for PG) */
+	uint8_t ip6m_len;	/* length in units of 8 octets */
+	uint8_t ip6m_type;	/* message type */
+	uint8_t reserved;	/* reserved */
+	uint16_t ip6m_cksum;	/* sum of IPv6 pseudo-header and MH */
 	union {
-		u_int16_t	ip6m_un_data16[1]; /* type-specific field */
-		u_int8_t	ip6m_un_data8[2];  /* type-specific fiedl */
+		uint16_t	ip6m_un_data16[1]; /* type-specific field */
+		uint8_t		ip6m_un_data8[2];  /* type-specific field */
 	} ip6m_dataun;
 };
 
@@ -69,6 +69,18 @@ struct ip6_mobility {
 #define IP6M_BINDING_UPDATE	5	/* Binding Update */
 #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
 #define IP6M_BINDING_ERROR	7	/* Binding Error */
+#define IP6M_MAX		7
+
+static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
+	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
+	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
+	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
+	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
+	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
+	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
+};
 
 /* XXX: unused */
 #define IP6MOPT_BU_MINLEN	10
@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
 	unsigned i, optlen;
 
 	for (i = 0; i < len; i += optlen) {
+		ND_TCHECK(bp[i]);
 		if (bp[i] == IP6MOPT_PAD1)
 			optlen = 1;
 		else {
-			if (i + 1 < len)
+			if (i + 1 < len) {
+				ND_TCHECK(bp[i + 1]);
 				optlen = bp[i + 1] + 2;
+			}
 			else
 				goto trunc;
 		}
 		if (i + optlen > len)
 			goto trunc;
+		ND_TCHECK(bp[i + optlen]);
 
 		switch (bp[i]) {
 		case IP6MOPT_PAD1:
@@ -174,7 +190,7 @@ mobility_print(netdissect_options *ndo,
 	const struct ip6_mobility *mh;
 	const u_char *ep;
 	unsigned mhlen, hlen;
-	u_int8_t type;
+	uint8_t type;
 
 	mh = (struct ip6_mobility *)bp;
 
@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
 
 	ND_TCHECK(mh->ip6m_type);
 	type = mh->ip6m_type;
+	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
+		ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
+		goto trunc;
+	}
 	switch (type) {
 	case IP6M_BINDING_REQUEST:
 		ND_PRINT((ndo, "mobility: BRR"));