IPX: Add a length check

This fix an undefined behavior at runtime.

The error was:
print-ipx.c:93:43: runtime error: unsigned integer overflow: 29 - 30
cannot be represented in type 'unsigned int'

Add a test case.

diff --git a/print-ipx.c b/print-ipx.c
index 674dd4578848b551c1283119ae20f7492855a598..c724e87f862b5b8fa393c0322f69fbb360c8ba9e 100644 (file)
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -90,6 +90,11 @@ ipx_print(netdissect_options *ndo, const u_char *p, u_int length)
        ND_TCHECK_2(ipx->length);
        length = EXTRACT_BE_U_2(ipx->length);
 
+       if (length < ipxSize) {
+               ND_PRINT("[length %u < %u]", length, ipxSize);
+               nd_print_invalid(ndo);
+               return;
+       }
        ipx_decode(ndo, ipx, p + ipxSize, length - ipxSize);
        return;
 trunc:

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 00fbe4473370005c816b7652d56c2d2bef333379..b666a0efa913bdfa4c6cef930c23037f6f9b532e 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -93,6 +93,9 @@ e1000g                e1000g.pcap             e1000g.out
 # IPX/Netware packets
 ipx            ipx.pcap                ipx.out
 
+# IPX/Netware invalid
+ipx-invalid-length ipx-invalid-length.pcap ipx-invalid-length.out
+
 # IETF FORCES WG packets and printer
 forces01        forces1.pcap            forces1.out
 forces01vvv     forces1.pcap            forces1vvv.out  -v -v -v

diff --git a/tests/ipx-invalid-length.out b/tests/ipx-invalid-length.out
new file mode 100644 (file)
index 0000000..2904e8f
--- /dev/null
+++ b/tests/ipx-invalid-length.out
@@ -0,0 +1 @@
+    1  16:41:40.226660 IPX 0a8808aa.00:00:00:00:00:01.0451 > 8dc23c00.18:00:3e:2b:68:56.402b: [length 29 < 30] (invalid)

diff --git a/tests/ipx-invalid-length.pcap b/tests/ipx-invalid-length.pcap
new file mode 100644 (file)
index 0000000..c65e47a
Binary files /dev/null and b/tests/ipx-invalid-length.pcap differ