From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 25 Mar 2016 19:49:37 +0000 (-0700)
Subject: Make sure the length of the header is valid.
X-Git-Tag: tcpdump-4.8.0~29
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/3d11d28ba07fffcbfd460cdb1fe95eded061e2f3

Make sure the length of the header is valid.

It must be at least 2, as it includes the lengths of the Base and
Service Path headers, and those are always present.
---

diff --git a/print-nsh.c b/print-nsh.c
index a5b464e9..1a27b713 100644
--- a/print-nsh.c
+++ b/print-nsh.c
@@ -97,12 +97,23 @@ nsh_print(netdissect_options *ndo, const u_char *bp, u_int len)
     ND_PRINT((ndo, "service-path-id 0x%06x, ", service_path_id));
     ND_PRINT((ndo, "service-index 0x%x", service_index));
 
-    /* print Context Headers */
+    /* Make sure we have all the headers */
     if (len < length * NSH_HDR_WORD_SIZE)
         goto trunc;
 
     ND_TCHECK2(*bp, length * NSH_HDR_WORD_SIZE);
 
+    /*
+     * length includes the lengths of the Base and Service Path headers.
+     * That means it must be at least 2.
+     */
+    if (length < 2)
+        goto trunc;
+
+    /*
+     * Print, or skip, the Context Headers.
+     * (length - 2) is the length of those headers.
+     */
     if (ndo->ndo_vflag > 2) {
         if (md_type == 0x01) {
             for (n = 0; n < length - 2; n++) {