Fix handling of Jumbo option when it's a destination option.

Pass null pointers to ip6_opt_process() when processing destination
options, and have ip6_opt_process() check for a null pointer-to-payload-
length when processing a Jumbo option and, if the pointer is null,
report it as not being a hop-by-hop option.

This fixes an uninitialized-data fetch.

diff --git a/print-ip6opts.c b/print-ip6opts.c
index 3ac8addc510d3451177a447bb4e01bb3e2c362c9..3f91b64a675af092f2e27beaea25dfe048363e3c 100644 (file)
--- a/print-ip6opts.c
+++ b/print-ip6opts.c
@@ -150,12 +150,19 @@ ip6_opt_process(netdissect_options *ndo, const u_char *bp, int len,
                    ND_PRINT("(jumbo: %u - already seen) ", jumbolen);
            } else {
                found_jumbo = 1;
-               if (*payload_len != 0) {
+               if (payload_len == NULL) {
+                   /* Not a hop-by-hop option - not valid */
+                   if (ndo->ndo_vflag)
+                       ND_PRINT("(jumbo: %u - not a hop-by-hop option) ", jumbolen);
+               } else if (*payload_len != 0) {
                    /* Payload length was non-zero - not valid */
                    if (ndo->ndo_vflag)
                        ND_PRINT("(jumbo: %u - payload len != 0) ", jumbolen);
                } else {
-                   /* Payload length was zero in the IPv6 header */
+                   /*
+                    * This is a hop-by-hop option, and Payload length
+                    * was zero in the IPv6 header.
+                    */
                    if (jumbolen < 65536) {
                        /* Too short */
                        if (ndo->ndo_vflag)
@@ -235,8 +242,6 @@ dstopt_process(netdissect_options *ndo, const u_char *bp)
 {
     const struct ip6_dest *dp = (const struct ip6_dest *)bp;
     u_int dstoptlen = 0;
-    int found_jumbo;
-    uint32_t jumbolen;
 
     ndo->ndo_protocol = "dstopt";
     ND_TCHECK_1(dp->ip6d_len);
@@ -245,12 +250,12 @@ dstopt_process(netdissect_options *ndo, const u_char *bp)
     ND_PRINT("DSTOPT ");
     if (ndo->ndo_vflag) {
        /*
-        * The Jumbo Payload option is a hop-by-hop option; we print,
-        * but don't honor, Jumbo Payload destination options.
+        * The Jumbo Payload option is a hop-by-hop option; we don't
+        * honor Jumbo Payload destination options, reporting them
+        * as invalid.
         */
        if (ip6_opt_process(ndo, (const u_char *)dp + sizeof(*dp),
-                           dstoptlen - sizeof(*dp), &found_jumbo,
-                           &jumbolen) == -1)
+                           dstoptlen - sizeof(*dp), NULL, NULL) == -1)
            goto trunc;
     }