The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.
This fixes a buffer over-read discovered by Yannick Formaggio.
Add a test using the capture file supplied by the reporter(s).
u_int length = h->len;
if_printer printer;
const pktap_header_t *hdr;
+ struct pcap_pkthdr nhdr;
if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
ND_PRINT((ndo, "[|pktap]"));
case PKT_REC_PACKET:
if ((printer = lookup_printer(dlt)) != NULL) {
- hdrlen += printer(ndo, h, p);
+ nhdr = *h;
+ nhdr.caplen = caplen;
+ nhdr.len = length;
+ hdrlen += printer(ndo, &nhdr, p);
} else {
if (!ndo->ndo_eflag)
pktap_header_print(ndo, (const u_char *)hdr,
# bad packets from Yannick Formaggio
l2tp-avp-overflow l2tp-avp-overflow.pcap l2tp-avp-overflow.out -v
+pktap-heap-overflow pktap-heap-overflow.pcap pktap-heap-overflow.out -v
# RTP tests
# fuzzed pcap
--- /dev/null
+[|pktap]
+[|ppp]
+EXIT CODE 00000100