In TTEST2(), check to make sure the "l" argument isn't so large that

"snapend - l" underflows; this fixes a buffer overflow with malformed
NFS packets, and may fix other buffer overflows with malformed packets.

diff --git a/interface.h b/interface.h
index 8242c958de20171a9b5b90b042d981323cd7db83..4e76a470b88e4f31425ae2ba976b6d6680b9859c 100644 (file)
--- a/interface.h
+++ b/interface.h
@@ -18,7 +18,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.184 2002-05-29 10:32:01 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.185 2002-05-31 09:29:07 guy Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -133,8 +133,16 @@ extern int snaplen;
 extern const u_char *packetp;
 extern const u_char *snapend;
 
-/* True if  "l" bytes of "var" were captured */
-#define TTEST2(var, l) ((const u_char *)&(var) <= snapend - (l))
+/*
+ * True if  "l" bytes of "var" were captured.
+ *
+ * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large
+ * that "snapend - (l)" underflows.
+ *
+ * The check is for <= rather than < because "l" might be 0.
+ */
+#define TTEST2(var, l) (snapend - (l) <= snapend && \
+                       (const u_char *)&(var) <= snapend - (l))
 
 /* True if "var" was captured */
 #define TTEST(var) TTEST2(var, sizeof(var))