CVE-2016-7922/AH: Add a bounds check

author Francois-Xavier Le Bail <[email protected]>

Thu, 26 Nov 2015 20:40:18 +0000 (21:40 +0100)

committer Francois-Xavier Le Bail <[email protected]>

Wed, 18 Jan 2017 08:16:39 +0000 (09:16 +0100)
author Francois-Xavier Le Bail <[email protected]>
Thu, 26 Nov 2015 20:40:18 +0000 (21:40 +0100)
committer Francois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:39 +0000 (09:16 +0100)
diff --git a/print-ah.c b/print-ah.c

index a23abb493f93c5b0060761805d1929d19ca05761..bec6f88f67d05e454ecc8142a55e62017955a664 100644 (file)
--- a/print-ah.c
+++ b/print-ah.c
@@ -38,21 +38,18 @@ int
  ah_print(netdissect_options *ndo, register const u_char *bp)
  {
         register const struct ah *ah;
-       register const u_char *ep;
         int sumlen;
-       uint32_t spi;
  
         ah = (const struct ah *)bp;
-       ep = ndo->ndo_snapend;          /* 'ep' points to the end of available data. */
  
         ND_TCHECK(*ah);
  
         sumlen = ah->ah_len << 2;
-       spi = EXTRACT_32BITS(&ah->ah_spi);
  
-       ND_PRINT((ndo, "AH(spi=0x%08x", spi));
+       ND_PRINT((ndo, "AH(spi=0x%08x", EXTRACT_32BITS(&ah->ah_spi)));
         if (ndo->ndo_vflag)
                 ND_PRINT((ndo, ",sumlen=%d", sumlen));
+       ND_TCHECK_32BITS(ah + 1);
         ND_PRINT((ndo, ",seq=0x%x", EXTRACT_32BITS(ah + 1)));
         if (!ND_TTEST2(*bp, sizeof(struct ah) + sumlen)) {
                 ND_PRINT((ndo, "[truncated]):"));
author	Francois-Xavier Le Bail <[email protected]>
	Thu, 26 Nov 2015 20:40:18 +0000 (21:40 +0100)
committer	Francois-Xavier Le Bail <[email protected]>
	Wed, 18 Jan 2017 08:16:39 +0000 (09:16 +0100)