MACsec: Update the snapend thus the ICV field is not payload for the caller

The ICV (Integrity Check Value) is at the end of the frame, after the
secure data.

(cherry picked from commits ff01ae8e5126f4d30eb582add8d64dbe2228cc5f
 and 490e000ac19326bd5119e7285a502c4b269b603c)

diff --git a/CHANGES b/CHANGES
index e010b12951d38927a2ae7354c017af1bfdb36b8b..d76897ae8236e7dd7c0c5a151e1457f32cd106e1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,7 @@ Monthday, Month DD, YYYY by gharris
       Squelch some compiler warnings
       Rebuild configure script when building release
       ICMP: Update the snapend for some nested IP packets.
+      MACsec: Update the snapend thus the ICV field is not payload for the caller.
     Solaris:
       Fix a compile error with Sun C
 

diff --git a/print-macsec.c b/print-macsec.c
index 0cf8cd67385987a47d3de2e5cc821b55bb7a5767..8b298f0302f6f03868d40b2b078fc8bf506ffa30 100644 (file)
--- a/print-macsec.c
+++ b/print-macsec.c
@@ -217,6 +217,13 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
        }
        *lengthp -= MACSEC_DEFAULT_ICV_LEN;
        *caplenp -= MACSEC_DEFAULT_ICV_LEN;
+       /*
+        * Update the snapend thus the ICV field is not in the payload for
+        * the caller.
+        * The ICV (Integrity Check Value) is at the end of the frame, after
+        * the secure data.
+        */
+       ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
 
        /*
         * If the SL field is non-zero, then it's the length of the