From: Francois-Xavier Le Bail <fx.lebail@yahoo.com>
Date: Thu, 26 Nov 2015 20:40:18 +0000 (+0100)
Subject: CVE-2016-7922/AH: Add a bounds check
X-Git-Tag: tcpdump-4.9.0-bp~61
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/3cb7e038251aae998d0581933b4f9df252106334

CVE-2016-7922/AH: Add a bounds check

Moreover:
Fix a warning (unused variable 'ep').
---

diff --git a/print-ah.c b/print-ah.c
index a23abb49..bec6f88f 100644
--- a/print-ah.c
+++ b/print-ah.c
@@ -38,21 +38,18 @@ int
 ah_print(netdissect_options *ndo, register const u_char *bp)
 {
 	register const struct ah *ah;
-	register const u_char *ep;
 	int sumlen;
-	uint32_t spi;
 
 	ah = (const struct ah *)bp;
-	ep = ndo->ndo_snapend;		/* 'ep' points to the end of available data. */
 
 	ND_TCHECK(*ah);
 
 	sumlen = ah->ah_len << 2;
-	spi = EXTRACT_32BITS(&ah->ah_spi);
 
-	ND_PRINT((ndo, "AH(spi=0x%08x", spi));
+	ND_PRINT((ndo, "AH(spi=0x%08x", EXTRACT_32BITS(&ah->ah_spi)));
 	if (ndo->ndo_vflag)
 		ND_PRINT((ndo, ",sumlen=%d", sumlen));
+	ND_TCHECK_32BITS(ah + 1);
 	ND_PRINT((ndo, ",seq=0x%x", EXTRACT_32BITS(ah + 1)));
 	if (!ND_TTEST2(*bp, sizeof(struct ah) + sumlen)) {
 		ND_PRINT((ndo, "[truncated]):"));