Do bounds checking when unescaping PPP.

author Guy Harris <[email protected]>

Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)

committer Guy Harris <[email protected]>

Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
author Guy Harris <[email protected]>
Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
committer Guy Harris <[email protected]>
Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
diff --git a/print-ppp.c b/print-ppp.c

index 8e098f05a953e3230bfa97f726ed2cc144db9c79..9a983e6179cd282a61b33880cdf650db02c2dc2a 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -1351,14 +1351,15 @@ static void
  ppp_hdlc(netdissect_options *ndo,
           const u_char *p, int length)
  {
-       u_char *b, *s, *t, c;
+       u_char *b, *t, c;
+       const u_char *s;
         int i, proto;
         const void *se;
  
          if (length <= 0)
                  return;
  
-       b = (uint8_t *)malloc(length);
+       b = (u_char *)malloc(length);
         if (b == NULL)
                 return;
  
@@ -1367,14 +1368,13 @@ ppp_hdlc(netdissect_options *ndo,
          * Do this so that we dont overwrite the original packet
          * contents.
          */
-       for (s = (u_char *)p, t = b, i = length; i > 0; i--) {
+       for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
                 c = *s++;
                 if (c == 0x7d) {
-                       if (i > 1) {
-                               i--;
-                               c = *s++ ^ 0x20;
-                       } else
-                               continue;
+                       if (i <= 1 || !ND_TTEST(*s))
+                               break;
+                       i--;
+                       c = *s++ ^ 0x20;
                 }
                 *t++ = c;
         }
author	Guy Harris <[email protected]>
	Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
committer	Guy Harris <[email protected]>
	Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)