Report a too-long unreachable destination list.

Running out of packet length before running out of unreachable
destinations is an error; report it as such.

Don't worry about leftover data past the end of the list of unreachable
destinations.

diff --git a/print-aodv.c b/print-aodv.c
index 9b3523a532b971783522070bff39c14b390336ea..ef27eee6bc2d57f31cfd76073f06e3adc75a28fd 100644 (file)
--- a/print-aodv.c
+++ b/print-aodv.c
@@ -277,14 +277,15 @@ aodv_rerr(netdissect_options *ndo, const u_char *dat, u_int length)
            ap->rerr_dc, length));
        dp = (struct rerr_unreach *)(dat + sizeof(*ap));
        i = length - sizeof(*ap);
            ap->rerr_dc, length));
        dp = (struct rerr_unreach *)(dat + sizeof(*ap));
        i = length - sizeof(*ap);

-       for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp);
-           ++dp, --dc, i -= sizeof(*dp)) {
+       for (dc = ap->rerr_dc; dc != 0; dc--) {

                ND_TCHECK(*dp);
                ND_TCHECK(*dp);

+               if (i < sizeof(*dp))
+                       goto trunc;

                ND_PRINT((ndo, " {%s}(%ld)", ipaddr_string(ndo, &dp->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp->u_ds)));
                ND_PRINT((ndo, " {%s}(%ld)", ipaddr_string(ndo, &dp->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp->u_ds)));

+               dp++;
+               i -= sizeof(*dp);

        }
        }

-       if ((i % sizeof(*dp)) != 0)
-               goto trunc;

        return;
 
 trunc:
        return;
 
 trunc:


@@ -386,14 +387,15 @@ aodv_v6_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int length)
            ap->rerr_dc, length));
        dp6 = (struct rerr_unreach6 *)(void *)(ap + 1);
        i = length - sizeof(*ap);
            ap->rerr_dc, length));
        dp6 = (struct rerr_unreach6 *)(void *)(ap + 1);
        i = length - sizeof(*ap);

-       for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);
-           ++dp6, --dc, i -= sizeof(*dp6)) {
+       for (dc = ap->rerr_dc; dc != 0; dc--) {

                ND_TCHECK(*dp6);
                ND_TCHECK(*dp6);

+               if (i < sizeof(*dp6))
+                       goto trunc;

                ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));
                ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));

+               dp6++;
+               i -= sizeof(*dp6);

        }
        }

-       if ((i % sizeof(*dp6)) != 0)
-               goto trunc;

        return;
 
 trunc:
        return;
 
 trunc:


@@ -498,14 +500,15 @@ aodv_v6_draft_01_rerr(netdissect_options *ndo, const u_char *dat _U_, u_int leng
            ap->rerr_dc, length));
        dp6 = (struct rerr_unreach6_draft_01 *)(void *)(ap + 1);
        i = length - sizeof(*ap);
            ap->rerr_dc, length));
        dp6 = (struct rerr_unreach6_draft_01 *)(void *)(ap + 1);
        i = length - sizeof(*ap);

-       for (dc = ap->rerr_dc; dc != 0 && i >= sizeof(*dp6);
-           ++dp6, --dc, i -= sizeof(*dp6)) {
+       for (dc = ap->rerr_dc; dc != 0; dc--) {

                ND_TCHECK(*dp6);
                ND_TCHECK(*dp6);

+               if (i < sizeof(*dp6))
+                       goto trunc;

                ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));
                ND_PRINT((ndo, " {%s}(%ld)", ip6addr_string(ndo, &dp6->u_da),
                    (unsigned long)EXTRACT_32BITS(&dp6->u_ds)));

+               dp6++;
+               i -= sizeof(*dp6);

        }
        }

-       if ((i % sizeof(*dp6)) != 0)
-               goto trunc;

        return;
 
 trunc:
        return;
 
 trunc: