From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 24 Mar 2017 01:54:36 +0000 (-0700)
Subject: OSPFv3: More bounds checks.
X-Git-Tag: tcpdump-4.9.2~30
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/3a7efe868f8d7b0a01048382f2ab61d646556fde

OSPFv3: More bounds checks.
---

diff --git a/print-ospf6.c b/print-ospf6.c
index 381fdbbf..a5ac3051 100644
--- a/print-ospf6.c
+++ b/print-ospf6.c
@@ -648,6 +648,7 @@ ospf6_print_lsa(netdissect_options *ndo,
 		if (lsa_length < sizeof (llsap->llsa_lladdr) + sizeof (llsap->llsa_nprefix))
 			return (1);
 		lsa_length -= sizeof (llsap->llsa_lladdr) + sizeof (llsap->llsa_nprefix);
+                ND_TCHECK(llsap->llsa_nprefix);
                 prefixes = EXTRACT_32BITS(&llsap->llsa_nprefix);
 		ND_PRINT((ndo, "\n\t      Priority %d, Link-local address %s, Prefixes %d:",
                        llsap->llsa_priority,
@@ -934,10 +935,12 @@ ospf6_decode_v3_trailer(netdissect_options *ndo,
 
 	if (op->ospf6_type == OSPF_TYPE_HELLO) {
 		const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN);
+		ND_TCHECK(hellop->hello_options);
 		if (EXTRACT_32BITS(&hellop->hello_options) & OSPF6_OPTION_L)
 			lls_hello = 1;
 	} else if (op->ospf6_type == OSPF_TYPE_DD) {
 		const struct dd6 *ddp = (const struct dd6 *)((const uint8_t *)op + OSPF6HDR_LEN);
+		ND_TCHECK(ddp->db_options);
 		if (EXTRACT_32BITS(&ddp->db_options) & OSPF6_OPTION_L)
 			lls_dd = 1;
 	}