Bounds-check the individual components of a SAP reply.

Make "fn_printzp()" return 0 if we don't run past the end of the packet
and we don't find any padding NULs.

diff --git a/print-ipx.c b/print-ipx.c
index 77fbcb6775284d6e44282a91e0d0855537555bcf..598b6e40c2c9bae2317b890a3c32a9f57d19d69b 100644 (file)
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -24,7 +24,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.40.2.1 2005-05-06 07:57:18 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-ipx.c,v 1.40.2.2 2005-05-06 08:27:00 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -159,12 +159,13 @@ ipx_sap_print(const u_short *ipx, u_int length)
            (void)printf("ipx-sap-nearest-resp");
 
        for (i = 0; i < 8 && length > 0; i++) {
-           TCHECK2(ipx[25], 10);
+           TCHECK(ipx[0]);
            (void)printf(" %s '", ipxsap_string(htons(EXTRACT_16BITS(&ipx[0]))));
            if (fn_printzp((u_char *)&ipx[1], 48, snapend)) {
                printf("'");
                goto trunc;
            }
+           TCHECK2(ipx[25], 10);
            printf("' addr %s",
                ipxaddr_string(EXTRACT_32BITS(&ipx[25]), (u_char *)&ipx[27]));
            ipx += 32;

diff --git a/util.c b/util.c
index f64430517523bfd951540c9e4b289e24be82a67c..2e6d72391a5b8b275decda0b7590165f3ab69fa8 100644 (file)
--- a/util.c
+++ b/util.c
@@ -21,7 +21,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/util.c,v 1.95.2.3 2005-05-06 07:57:20 guy Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/util.c,v 1.95.2.4 2005-05-06 08:27:00 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -135,7 +135,7 @@ fn_printzp(register const u_char *s, register u_int n,
                }
                putchar(c);
        }
-       return (n == 0) ? 0 : 1;
+       return (n == 0) ? 0 : ret;
 }
 
 /*