Check for a too-small NBP length before subtracting the header size

(from OpenBSD's "print-atalk.c").

diff --git a/print-atalk.c b/print-atalk.c
index 2d3fccdd959e4d3b9fc965196feb34b3822d550d..13848a11197aac5833233cd2acce449763b9b035 100644 (file)
--- a/print-atalk.c
+++ b/print-atalk.c
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-atalk.c,v 1.70 2001-11-15 08:23:12 itojun Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-atalk.c,v 1.71 2002-02-05 10:03:34 guy Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -112,6 +112,14 @@ llap_print(register const u_char *bp, u_int length)
        register const struct atShortDDP *sdp;
        u_short snet;
 
+       /*
+        * Our packet is on a 4-byte boundary, as we're either called
+        * directly from a top-level link-layer printer (ltalk_if_print)
+        * or from the UDP printer.  The LLAP+DDP header is a multiple
+        * of 4 bytes in length, so the DDP payload is also on a 4-byte
+        * boundary, and we don't need to align it before calling
+        * "ddp_print()".
+        */
        lp = (const struct LAP *)bp;
        bp += sizeof(*lp);
        length -= sizeof(*lp);
@@ -394,6 +402,11 @@ nbp_print(register const struct atNBP *np, u_int length, register u_short snet,
        int i;
        const u_char *ep;
 
+       if (length < nbpHeaderSize) {
+               (void)printf(" truncated-nbp %d", length);
+               return;
+       }
+
        length -= nbpHeaderSize;
        if (length < 8) {
                /* must be room for at least one tuple */