Add some length checks for byte-escaped PPP.

Thanks and a tip of the Hatlo hat to the Clang Static Analyzer for
catching these.

diff --git a/print-ppp.c b/print-ppp.c
index c19fcf74987634acca66dab23d1323d00bf37bab..5142e07b0c52c524bcd3c1e5981b631be5761e2a 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -1288,32 +1288,39 @@ ppp_hdlc(const u_char *p, int length)
 
        se = snapend;
        snapend = t;
+       length = t - b;
 
         /* now lets guess about the payload codepoint format */
+        if (length < 1)
+                goto trunc;
         proto = *b; /* start with a one-octet codepoint guess */
 
         switch (proto) {
         case PPP_IP:
-               ip_print(gndo, b+1, t - b - 1);
+               ip_print(gndo, b+1, length - 1);
                goto cleanup;
 #ifdef INET6
         case PPP_IPV6:
-               ip6_print(gndo, b+1, t - b - 1);
+               ip6_print(gndo, b+1, length - 1);
                goto cleanup;
 #endif
         default: /* no luck - try next guess */
                break;
         }
 
+        if (length < 2)
+                goto trunc;
         proto = EXTRACT_16BITS(b); /* next guess - load two octets */
 
         switch (proto) {
         case (PPP_ADDRESS << 8 | PPP_CONTROL): /* looks like a PPP frame */
+            if (length < 4)
+                goto trunc;
             proto = EXTRACT_16BITS(b+2); /* load the PPP proto-id */
-            handle_ppp(proto, b+4, t - b - 4);
+            handle_ppp(proto, b+4, length - 4);
             break;
         default: /* last guess - proto must be a PPP proto-id */
-            handle_ppp(proto, b+2, t - b - 2);
+            handle_ppp(proto, b+2, length - 2);
             break;
         }
 
@@ -1321,6 +1328,12 @@ cleanup:
         snapend = se;
        free(b);
         return;
+
+trunc:
+        snapend = se;
+       free(b);
+       printf("[|ppp]");
+       return;
 }