Do bounds checking when unescaping PPP.

author Guy Harris <[email protected]>

Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)

committer Guy Harris <[email protected]>

Wed, 19 Nov 2014 21:33:28 +0000 (13:33 -0800)
author Guy Harris <[email protected]>
Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
committer Guy Harris <[email protected]>
Wed, 19 Nov 2014 21:33:28 +0000 (13:33 -0800)
diff --git a/print-ppp.c b/print-ppp.c

index ea8e00b244f9194d1810dc92a08791ad0f513c75..c1eb45520cc8a20c58110c023a7ed80e6644175f 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -1266,11 +1266,15 @@ trunc:
  static void
  ppp_hdlc(const u_char *p, int length)
  {
-       u_char *b, *s, *t, c;
+       u_char *b, *t, c;
+       const u_char *s;
         int i, proto;
         const void *se;
  
-       b = (u_int8_t *)malloc(length);
+        if (length <= 0)
+                return;
+
+       b = (u_char *)malloc(length);
         if (b == NULL)
                 return;
  
@@ -1279,14 +1283,13 @@ ppp_hdlc(const u_char *p, int length)
          * Do this so that we dont overwrite the original packet
          * contents.
          */
-       for (s = (u_char *)p, t = b, i = length; i > 0; i--) {
+       for (s = p, t = b, i = length; i > 0 && TTEST(*s); i--) {
                 c = *s++;
                 if (c == 0x7d) {
-                       if (i > 1) {
-                               i--;
-                               c = *s++ ^ 0x20;
-                       } else
-                               continue;
+                       if (i <= 1 || !TTEST(*s))
+                               break;
+                       i--;
+                       c = *s++ ^ 0x20;
                 }
                 *t++ = c;
         }
author	Guy Harris <[email protected]>
	Wed, 22 Oct 2014 19:31:21 +0000 (12:31 -0700)
committer	Guy Harris <[email protected]>
	Wed, 19 Nov 2014 21:33:28 +0000 (13:33 -0800)