(for 4.9.3) FRF.16: Add a missing length check.

At the beginning of mfr_print() check the declared length too, not just
the size of the input buffer. This should make further length-based
decoding more correct.

Found by code inspection hence there is no test case at this time.

diff --git a/print-fr.c b/print-fr.c
index 53f37f683602026071e8e4e3c31b49c9d4bc101f..8a1a53a4914b5db927fde07ea17e78e401938cf7 100644 (file)
--- a/print-fr.c
+++ b/print-fr.c
@@ -457,6 +457,10 @@ mfr_print(netdissect_options *ndo,
  */
 
     ND_TCHECK2(*p, 4); /* minimum frame header length */
+    if (length < 4) {
+        ND_PRINT((ndo, "Message too short (%u bytes)", length));
+        return length;
+    }
 
     if ((p[0] & MFR_BEC_MASK) == MFR_CTRL_FRAME && p[1] == 0) {
         ND_PRINT((ndo, "FRF.16 Control, Flags [%s], %s, length %u",