From Markus Schoepflin: don't use "struct in6_addr" if INET6 isn't

defined, because, in that case, "struct in6_addr" probably isn't
defined, either.

Check for too-large bit lengths in TLVs.

diff --git a/CREDITS b/CREDITS
index 4923d496d235d4922f4fafd2d20bfaa77f53627b..2c0d2294b11bce34f05ee1ea9699693a817d9317 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -84,6 +84,7 @@ Additional people who have contributed patches:
        Marc A. Lehmann                 <[email protected]>
        Mark Ellzey Thomas              <[email protected]>
        Marko Kiiskila                  <[email protected]>
        Marc A. Lehmann                 <[email protected]>
        Mark Ellzey Thomas              <[email protected]>
        Marko Kiiskila                  <[email protected]>

+       Markus Schöpflin                <[email protected]>

        Marshall Rose                   <[email protected]>
        Martin Husemann                 <[email protected]>
        Michael Madore                  <[email protected]>
        Marshall Rose                   <[email protected]>
        Martin Husemann                 <[email protected]>
        Michael Madore                  <[email protected]>

diff --git a/print-isoclns.c b/print-isoclns.c
index 06ed252e9c5b11d965d40dad13bb4e3c8a019d90..c0427db5ef055f3ad468d68d9ef4e8b147cd48f1 100644 (file)
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -26,7 +26,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
 
 #ifndef lint
 static const char rcsid[] _U_ =

-    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.152 2005-09-20 10:04:26 hannes Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.153 2005-10-16 08:17:52 guy Exp $ (LBL)";

 #endif
 
 #ifdef HAVE_CONFIG_H
 #endif
 
 #ifdef HAVE_CONFIG_H


@@ -1616,7 +1616,11 @@ static int
 isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) {
 
     char ident_buffer[20];
 isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) {
 
     char ident_buffer[20];

+#ifdef INET6

     u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */
     u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */

+#else
+    u_int8_t prefix[sizeof(struct in_addr)]; /* shared copy buffer for IPv4 prefixes */
+#endif

     u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen;
 
     if (!TTEST2(*tptr, 4))
     u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen;
 
     if (!TTEST2(*tptr, 4))


@@ -1630,6 +1634,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
             return (0);
         status_byte=*(tptr++);
         bit_length = status_byte&0x3f;
             return (0);
         status_byte=*(tptr++);
         bit_length = status_byte&0x3f;

+        if (bit_length > 32) {
+            printf("%sIPv4 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }

         processed++;
 #ifdef INET6
     } else if (afi == IPV6) {
         processed++;
 #ifdef INET6
     } else if (afi == IPV6) {


@@ -1637,6 +1647,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
             return (0);
         status_byte=*(tptr++);
         bit_length=*(tptr++);
             return (0);
         status_byte=*(tptr++);
         bit_length=*(tptr++);

+        if (bit_length > 128) {
+            printf("%sIPv6 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }

         processed+=2;
 #endif
     } else
         processed+=2;
 #endif
     } else


@@ -1646,7 +1662,11 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
    
     if (!TTEST2(*tptr, byte_length))
         return (0);
    
     if (!TTEST2(*tptr, byte_length))
         return (0);

+#ifdef INET6

     memset(prefix, 0, sizeof(struct in6_addr));              /* clear the copy buffer */
     memset(prefix, 0, sizeof(struct in6_addr));              /* clear the copy buffer */

+#else
+    memset(prefix, 0, sizeof(struct in_addr));               /* clear the copy buffer */
+#endif

     memcpy(prefix,tptr,byte_length);    /* copy as much as is stored in the TLV */
     tptr+=byte_length;
     processed+=byte_length;
     memcpy(prefix,tptr,byte_length);    /* copy as much as is stored in the TLV */
     tptr+=byte_length;
     processed+=byte_length;