X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/c1c3c77463d592cc576eaa491e604752044ca55a..0f328b4aa16b0b47f05a85c440ce1d07719e3cac:/print-vqp.c

diff --git a/print-vqp.c b/print-vqp.c
index 8305d5d2..e931025c 100644
--- a/print-vqp.c
+++ b/print-vqp.c
@@ -12,20 +12,21 @@
  * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  * FOR A PARTICULAR PURPOSE.
  *
- * support for the Cisco prop. VQP Protocol
- *
  * Original code by Carles Kishimoto <Carles.Kishimoto@bsc.es>
  */
 
+/* \summary: Cisco VLAN Query Protocol (VQP) printer */
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
-#include <tcpdump-stdinc.h>
+#include <netdissect-stdinc.h>
 
 #include "netdissect.h"
 #include "extract.h"
 #include "addrtoname.h"
+#include "ether.h"
 
 #define VQP_VERSION            		1
 #define VQP_EXTRACT_VERSION(x) ((x)&0xFF)
@@ -105,13 +106,15 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
     const u_char *tptr;
     uint16_t vqp_obj_len;
     uint32_t vqp_obj_type;
-    int tlen;
+    u_int tlen;
     uint8_t nitems;
 
     tptr=pptr;
     tlen = len;
     vqp_common_header = (const struct vqp_common_header_t *)pptr;
     ND_TCHECK(*vqp_common_header);
+    if (sizeof(struct vqp_common_header_t) > tlen)
+        goto trunc;
 
     /*
      * Sanity checking of the header.
@@ -140,19 +143,22 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
 	   tok2str(vqp_msg_type_values, "unknown (%u)",vqp_common_header->msg_type),
 	   tok2str(vqp_error_code_values, "unknown (%u)",vqp_common_header->error_code),
 	   vqp_common_header->error_code,
-           EXTRACT_32BITS(&vqp_common_header->sequence),
+           EXTRACT_BE_U_4(&vqp_common_header->sequence),
            nitems,
            len));
 
     /* skip VQP Common header */
-    tptr+=sizeof(const struct vqp_common_header_t);
-    tlen-=sizeof(const struct vqp_common_header_t);
+    tptr+=sizeof(struct vqp_common_header_t);
+    tlen-=sizeof(struct vqp_common_header_t);
 
     while (nitems > 0 && tlen > 0) {
 
         vqp_obj_tlv = (const struct vqp_obj_tlv_t *)tptr;
-        vqp_obj_type = EXTRACT_32BITS(vqp_obj_tlv->obj_type);
-        vqp_obj_len = EXTRACT_16BITS(vqp_obj_tlv->obj_length);
+        ND_TCHECK(*vqp_obj_tlv);
+        if (sizeof(struct vqp_obj_tlv_t) > tlen)
+            goto trunc;
+        vqp_obj_type = EXTRACT_BE_U_4(vqp_obj_tlv->obj_type);
+        vqp_obj_len = EXTRACT_BE_U_2(vqp_obj_tlv->obj_length);
         tptr+=sizeof(struct vqp_obj_tlv_t);
         tlen-=sizeof(struct vqp_obj_tlv_t);
 
@@ -167,10 +173,14 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
 
         /* did we capture enough for fully decoding the object ? */
         ND_TCHECK2(*tptr, vqp_obj_len);
+        if (vqp_obj_len > tlen)
+            goto trunc;
 
         switch(vqp_obj_type) {
 	case VQP_OBJ_IP_ADDRESS:
-            ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_32BITS(tptr)));
+            if (vqp_obj_len != 4)
+                goto trunc;
+            ND_PRINT((ndo, "%s (0x%08x)", ipaddr_string(ndo, tptr), EXTRACT_BE_U_4(tptr)));
             break;
             /* those objects have similar semantics - fall through */
         case VQP_OBJ_PORT_NAME:
@@ -182,6 +192,8 @@ vqp_print(netdissect_options *ndo, register const u_char *pptr, register u_int l
             /* those objects have similar semantics - fall through */
 	case VQP_OBJ_MAC_ADDRESS:
 	case VQP_OBJ_MAC_NULL:
+            if (vqp_obj_len != ETHER_ADDR_LEN)
+                goto trunc;
 	      ND_PRINT((ndo, "%s", etheraddr_string(ndo, tptr)));
               break;
         default: