Bounds-check the individual components of a SAP reply.

Make "fn_printzp()" return 0 if we don't run past the end of the packet
and we don't find any padding NULs.

diff --git a/print-ipx.c b/print-ipx.c
index d5803b9debd37451e79162d39e6be5e6f4aca11a..604561c608458d994180fd4930ca7353fc39b566 100644 (file)
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -24,7 +24,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.41 2005-05-06 07:56:52 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.42 2005-05-06 08:26:44 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -159,12 +159,13 @@ ipx_sap_print(const u_short *ipx, u_int length)
            (void)printf("ipx-sap-nearest-resp");
 
        for (i = 0; i < 8 && length > 0; i++) {
-           TCHECK2(ipx[25], 10);
+           TCHECK(ipx[0]);
            (void)printf(" %s '", ipxsap_string(htons(EXTRACT_16BITS(&ipx[0]))));
            if (fn_printzp((u_char *)&ipx[1], 48, snapend)) {
                printf("'");
                goto trunc;
            }
+           TCHECK2(ipx[25], 10);
            printf("' addr %s",
                ipxaddr_string(EXTRACT_32BITS(&ipx[25]), (u_char *)&ipx[27]));
            ipx += 32;

diff --git a/util.c b/util.c
index d4882d72cc9a7311389c721d359fc9244949c234..4e04b0a99ba156cea401f3bff0dc60c7f7a851ee 100644 (file)
--- a/util.c
+++ b/util.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/util.c,v 1.98 2005-05-06 07:56:54 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/util.c,v 1.99 2005-05-06 08:26:45 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -135,7 +135,7 @@ fn_printzp(register const u_char *s, register u_int n,
                }
                putchar(c);
        }
-       return (n == 0) ? 0 : 1;
+       return (n == 0) ? 0 : ret;
 }
 
 /*