From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 15 Aug 2014 00:14:32 +0000 (-0700)
Subject: Check for TLV length too small.
X-Git-Tag: tcpdump-4.7.0-bp~46^2~9
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/5511e8f79f0ac96671bab23223397881eba8b806

Check for TLV length too small.

The TLV length includes the T and the L, so it must be at least 4.

This means we don't need the "avoid infinite loop" check later; that
check was wrong, as per GitHub issue #401 and #402; this fixes #402,
which has a different patch for that bug.
---

diff --git a/print-cdp.c b/print-cdp.c
index 116f0fa5..42ea1b7f 100644
--- a/print-cdp.c
+++ b/print-cdp.c
@@ -106,6 +106,19 @@ cdp_print(netdissect_options *ndo,
 		ND_TCHECK2(*tptr, 4); /* read out Type and Length */
 		type = EXTRACT_16BITS(tptr);
 		len  = EXTRACT_16BITS(tptr+2); /* object length includes the 4 bytes header length */
+		if (len < 4) {
+                    if (ndo->ndo_vflag)
+                        ND_PRINT((ndo, "\n\t%s (0x%02x), length: %u byte%s (too short)",
+                               tok2str(cdp_tlv_values,"unknown field type", type),
+                               type,
+                               len,
+                               PLURAL_SUFFIX(len))); /* plural */
+                    else
+                        ND_PRINT((ndo, ", %s TLV length %u too short",
+                               tok2str(cdp_tlv_values,"unknown field type", type),
+                               len));
+                    break;
+                }
                 tptr += 4;
                 len -= 4;
 
@@ -214,9 +227,6 @@ cdp_print(netdissect_options *ndo,
 			break;
                     }
                 }
-		/* avoid infinite loop */
-		if (len == 0)
-			break;
 		tptr = tptr+len;
 	}
         if (ndo->ndo_vflag < 1)