From: guy Date: Mon, 15 Dec 2003 10:40:13 +0000 (+0000) Subject: From George Bakos: catch bogus payload lengths even if we have a routine X-Git-Tag: tcpdump-3.9.1~528 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/25fee7d19a89045bcfe615707528d3cb80c664e7?hp=a2cb0114402e30a2735eb5c089ac5ba878c60c28 From George Bakos: catch bogus payload lengths even if we have a routine to process the payload type. --- diff --git a/print-isakmp.c b/print-isakmp.c index f1f53eeb..be0f550f 100644 --- a/print-isakmp.c +++ b/print-isakmp.c @@ -30,7 +30,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.38 2003-11-16 09:36:25 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.39 2003-12-15 10:40:13 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -1076,20 +1076,25 @@ isakmp_sub0_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, cp = (u_char *)ext; safememcpy(&e, ext, sizeof(e)); - if (NPFUNC(np)) + /* + * Since we can't have a payload length of less than 4 bytes, + * we need to bail out here if the generic header is nonsensical + * or truncated, otherwise we could loop forever processing + * zero-length items or otherwise misdissect the packet. + */ + item_len = ntohs(e.len); + if (item_len <= 4) + return NULL; + + if (NPFUNC(np)) { + /* + * XXX - what if item_len is too short, or too long, + * for this payload type? + */ cp = (*NPFUNC(np))(ext, ep, phase, doi, proto, depth); - else { + } else { printf("%s", NPSTR(np)); - item_len = ntohs(e.len); - if (item_len == 0) { - /* - * We don't want to loop forever processing this - * bogus (zero-length) item; return NULL so that - * we stop dissecting. - */ - cp = NULL; - } else - cp += item_len; + cp += item_len; } return cp;