Before subtracting a value from a prefix length, make sure the prefix

length is >= the value.  (In theory, if that check isn't done, the
prefix length will overflow, and, as it's unsigned, that'd make it very
large, and rejected by the other sanity check - but it's cleaner to
check explicitly.)

In decode_rt_routing_info(), fix the checks for the prefix length -
according to draft-marques-ppvpn-rt-constrain-01, the default route
target has a 0-length prefix, and all others have a length between 32
and 96.

diff --git a/print-bgp.c b/print-bgp.c
index 67650bfebb31d1b9c68160b3c778f6b494ba97ef..d7e0d713c48216fd638b80f9a990b1b5f3053a89 100644 (file)
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -36,7 +36,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-     "@(#) $Header: /tcpdump/master/tcpdump/print-bgp.c,v 1.97 2005-06-03 07:28:24 hannes Exp $";
+     "@(#) $Header: /tcpdump/master/tcpdump/print-bgp.c,v 1.98 2005-10-16 18:14:55 guy Exp $";
 #endif
 
 #include <tcpdump-stdinc.h>
@@ -491,6 +491,9 @@ decode_labeled_prefix4(const u_char *pptr, char *buf, u_int buflen)
            stacked labels in a a single BGP message
         */
 
+       if (24 > plen)
+               return -1;
+
         plen-=24; /* adjust prefixlen - labellength */
 
        if (32 < plen)
@@ -565,9 +568,15 @@ decode_rt_routing_info(const u_char *pptr, char *buf, u_int buflen)
        TCHECK(pptr[0]);
        plen = pptr[0];   /* get prefix length */
 
+       if (0 == plen)
+               return 1; /* default route target */
+
+       if (32 > plen)
+               return -1;
+
         plen-=32; /* adjust prefix length */
 
-       if (0 < plen)
+       if (64 < plen)
                return -1;
 
        memset(&route_target, 0, sizeof(route_target));
@@ -596,6 +605,9 @@ decode_labeled_vpn_prefix4(const u_char *pptr, char *buf, u_int buflen)
        TCHECK(pptr[0]);
        plen = pptr[0];   /* get prefix length */
 
+       if ((24+64) > plen)
+               return -1;
+
         plen-=(24+64); /* adjust prefixlen - labellength - RD len*/
 
        if (32 < plen)
@@ -710,6 +722,10 @@ decode_labeled_prefix6(const u_char *pptr, char *buf, u_int buflen)
 
        TCHECK(pptr[0]);
        plen = pptr[0]; /* get prefix length */
+
+       if (24 > plen)
+               return -1;
+
         plen-=24; /* adjust prefixlen - labellength */
 
        if (128 < plen)
@@ -744,6 +760,9 @@ decode_labeled_vpn_prefix6(const u_char *pptr, char *buf, u_int buflen)
        TCHECK(pptr[0]);
        plen = pptr[0];   /* get prefix length */
 
+       if ((24+64) > plen)
+               return -1;
+
         plen-=(24+64); /* adjust prefixlen - labellength - RD len*/
 
        if (128 < plen)
@@ -809,6 +828,9 @@ decode_labeled_vpn_clnp_prefix(const u_char *pptr, char *buf, u_int buflen)
        TCHECK(pptr[0]);
        plen = pptr[0];   /* get prefix length */
 
+       if ((24+64) > plen)
+               return -1;
+
         plen-=(24+64); /* adjust prefixlen - labellength - RD len*/
 
        if (152 < plen)