Fix length checking.

Check both the captured length and the on-the-wire length (the latter
*should* be greater than or equal to the former, but that's not
guaranteed).

Add some additional length checks, so neither caplen nor length
underflow.

If we stop dissecting because the packet is too short, return 1, not 0,
as we've "dissected" what we can; 0 means "this is LLC+SNAP with an OUI
of 0 and an unknown Ethertype".

diff --git a/print-llc.c b/print-llc.c
index e78378d05b5afb5db7531cde88175b953ff6e7eb..e8a3314c5c79b9c305c06736fefc72b4a88b383e 100644 (file)
--- a/print-llc.c
+++ b/print-llc.c
@@ -151,10 +151,10 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 
        *extracted_ethertype = 0;
 
-       if (caplen < 3) {
+       if (caplen < 3 || length < 3) {
                ND_PRINT((ndo, "[|llc]"));
                ND_DEFAULTPRINT((u_char *)p, caplen);
-               return(0);
+               return (1);
        }
 
        dsap_field = *p;
@@ -177,10 +177,10 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
                 * The control field in I and S frames is
                 * 2 bytes...
                 */
-               if (caplen < 4) {
+               if (caplen < 4 || length < 4) {
                        ND_PRINT((ndo, "[|llc]"));
                        ND_DEFAULTPRINT((u_char *)p, caplen);
-                       return(0);
+                       return (1);
                }
 
                /*
@@ -240,6 +240,11 @@ llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
 
        if (ssap == LLCSAP_IP && dsap == LLCSAP_IP &&
            control == LLC_UI) {
+               if (caplen < 4 || length < 4) {
+                       ND_PRINT((ndo, "[|llc]"));
+                       ND_DEFAULTPRINT((u_char *)p, caplen);
+                       return (1);
+               }
                ip_print(ndo, p+4, length-4);
                return (1);
        }
@@ -368,6 +373,8 @@ snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen,
        register int ret;
 
        ND_TCHECK2(*p, 5);
+       if (caplen < 5 || length < 5)
+               goto trunc;
        orgcode = EXTRACT_24BITS(p);
        et = EXTRACT_16BITS(p + 3);