From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Mon, 28 Oct 2019 09:04:12 +0000 (+0100)
Subject: FRF.16: Add a length check before the bounds check
X-Git-Tag: tcpdump-4.99-bp~626
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/4900c023e319374a523dc365acf1285f3ff3036f

FRF.16: Add a length check before the bounds check

At the beginning of mfr_print() check the declared length.

Updated from e5ae1fd2c5d86277e76ec901ed5f311df731caff
in 4.9 branch.
---

diff --git a/print-fr.c b/print-fr.c
index a7ea98a1..59d39417 100644
--- a/print-fr.c
+++ b/print-fr.c
@@ -458,7 +458,13 @@ mfr_print(netdissect_options *ndo,
  */
 
     ndo->ndo_protocol = "mfr";
-    ND_TCHECK_4(p); /* minimum frame header length */
+
+    if (length < 4) {	/* minimum frame header length */
+        ND_PRINT("[length %u < 4]", length);
+        nd_print_invalid(ndo);
+        return length;
+    }
+    ND_TCHECK_4(p);
 
     if ((GET_U_1(p) & MFR_BEC_MASK) == MFR_CTRL_FRAME && GET_U_1(p + 1) == 0) {
         ND_PRINT("FRF.16 Control, Flags [%s], %s, length %u",