X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/d4c025123311850573425b317eca79b52a64ac0f..fc1f0e7e582c75239590da976b91d0568c6f9d57:/print-macsec.c

diff --git a/print-macsec.c b/print-macsec.c
index e5030588..a7bde0b9 100644
--- a/print-macsec.c
+++ b/print-macsec.c
@@ -110,6 +110,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 		ndo->ndo_protocol = save_protocol;
 		return hdrlen + caplen;
 	}
+	if (length < MACSEC_SECTAG_LEN_NOSCI) {
+		nd_print_trunc(ndo);
+		ndo->ndo_protocol = save_protocol;
+		return hdrlen + caplen;
+	}
 
 	if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
 		sectag_len = MACSEC_SECTAG_LEN_SCI;
@@ -118,6 +123,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 			ndo->ndo_protocol = save_protocol;
 			return hdrlen + caplen;
 		}
+		if (length < MACSEC_SECTAG_LEN_SCI) {
+			nd_print_trunc(ndo);
+			ndo->ndo_protocol = save_protocol;
+			return hdrlen + caplen;
+		}
 	} else
 		sectag_len = MACSEC_SECTAG_LEN_NOSCI;
 
@@ -165,8 +175,10 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 		 * ICV length from the lengths, so our caller
 		 * doesn't treat it as payload.
 		 */
-		*lengthp -= MACSEC_DEFAULT_ICV_LEN;
-		*caplenp -= MACSEC_DEFAULT_ICV_LEN;
+		if (*lengthp >= MACSEC_DEFAULT_ICV_LEN)
+			*lengthp -= MACSEC_DEFAULT_ICV_LEN;
+		if (*caplenp >= MACSEC_DEFAULT_ICV_LEN)
+			*caplenp -= MACSEC_DEFAULT_ICV_LEN;
 		ndo->ndo_protocol = save_protocol;
 		return -1;
 	}