From: guy Date: Fri, 31 May 2002 09:29:07 +0000 (+0000) Subject: In TTEST2(), check to make sure the "l" argument isn't so large that X-Git-Tag: tcpdump-3.8-bp~474 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/7ebe728746039bbbd813b20880b4cb40c4d0807a In TTEST2(), check to make sure the "l" argument isn't so large that "snapend - l" underflows; this fixes a buffer overflow with malformed NFS packets, and may fix other buffer overflows with malformed packets. --- diff --git a/interface.h b/interface.h index 8242c958..4e76a470 100644 --- a/interface.h +++ b/interface.h @@ -18,7 +18,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.184 2002-05-29 10:32:01 guy Exp $ (LBL) + * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.185 2002-05-31 09:29:07 guy Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -133,8 +133,16 @@ extern int snaplen; extern const u_char *packetp; extern const u_char *snapend; -/* True if "l" bytes of "var" were captured */ -#define TTEST2(var, l) ((const u_char *)&(var) <= snapend - (l)) +/* + * True if "l" bytes of "var" were captured. + * + * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large + * that "snapend - (l)" underflows. + * + * The check is for <= rather than < because "l" might be 0. + */ +#define TTEST2(var, l) (snapend - (l) <= snapend && \ + (const u_char *)&(var) <= snapend - (l)) /* True if "var" was captured */ #define TTEST(var) TTEST2(var, sizeof(var))