NULL/LOOP: Add a bounds check

author Francois-Xavier Le Bail <[email protected]>

Mon, 12 Feb 2018 10:34:28 +0000 (11:34 +0100)

committer Francois-Xavier Le Bail <[email protected]>

Mon, 12 Feb 2018 10:37:50 +0000 (11:37 +0100)
author Francois-Xavier Le Bail <[email protected]>
Mon, 12 Feb 2018 10:34:28 +0000 (11:34 +0100)
committer Francois-Xavier Le Bail <[email protected]>
Mon, 12 Feb 2018 10:37:50 +0000 (11:37 +0100)
diff --git a/print-null.c b/print-null.c

index 874521e24aca006c9fc776815f28c25259394b1d..f1067ff5ca1d673560b0a7aad96b0026f786e125 100644 (file)
--- a/print-null.c
+++ b/print-null.c
@@ -30,8 +30,11 @@
  #include <string.h>
  
  #include "netdissect.h"
+#include "extract.h"
  #include "af.h"
  
+static const char tstr[] = " [|null]";
+
  /*
   * The DLT_NULL packet header is 4 bytes long. It contains a host-byte-order
   * 32-bit integer that specifies the family, e.g. AF_INET.
@@ -77,13 +80,12 @@ null_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char
  {
         u_int length = h->len;
         u_int caplen = h->caplen;
-       u_int family;
+       uint32_t family;
  
-       if (caplen < NULL_HDRLEN) {
-               ND_PRINT("[|null]");
-               return (NULL_HDRLEN);
-       }
+       if (caplen < NULL_HDRLEN)
+               goto trunc;
  
+       ND_TCHECK_4(p);
         memcpy((char *)&family, (const char *)p, sizeof(family));
  
         /*
@@ -136,6 +138,9 @@ null_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char
                         ND_DEFAULTPRINT(p, caplen);
         }
  
+       return (NULL_HDRLEN);
+trunc:
+       ND_PRINT("%s", tstr);
         return (NULL_HDRLEN);
  }
author	Francois-Xavier Le Bail <[email protected]>
	Mon, 12 Feb 2018 10:34:28 +0000 (11:34 +0100)
committer	Francois-Xavier Le Bail <[email protected]>
	Mon, 12 Feb 2018 10:37:50 +0000 (11:37 +0100)