From: guy Date: Thu, 5 May 2005 23:08:59 +0000 (+0000) Subject: Add more bounds checks, and check for bogus chunk lengths (too short). X-Git-Tag: tcpdump-3.9.1~66 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/b12e2b9fd7aec547ad01e3ed6ad4428925f3705d Add more bounds checks, and check for bogus chunk lengths (too short). --- diff --git a/print-sctp.c b/print-sctp.c index 7091a916..e924b83b 100644 --- a/print-sctp.c +++ b/print-sctp.c @@ -35,7 +35,7 @@ #ifndef lint static const char rcsid[] _U_ = -"@(#) $Header: /tcpdump/master/tcpdump/print-sctp.c,v 1.16.2.1 2005-04-13 08:37:08 guy Exp $ (NETLAB/PEL)"; +"@(#) $Header: /tcpdump/master/tcpdump/print-sctp.c,v 1.16.2.2 2005-05-05 23:08:59 guy Exp $ (NETLAB/PEL)"; #endif #ifdef HAVE_CONFIG_H @@ -68,7 +68,6 @@ void sctp_print(const u_char *bp, /* beginning of sctp packet */ #ifdef INET6 const struct ip6_hdr *ip6; #endif - const u_char *cp; const void *endPacketPtr; u_short sourcePort, destPort; int chunkCount; @@ -88,12 +87,7 @@ void sctp_print(const u_char *bp, /* beginning of sctp packet */ else ip6 = NULL; #endif /*INET6*/ - cp = (const u_char *)(sctpPktHdr + 1); - if (cp > snapend) - { - printf("[|sctp]"); - return; - } + TCHECK(*sctpPktHdr); if (sctpPacketLength < sizeof(struct sctpHeader)) { @@ -141,12 +135,21 @@ void sctp_print(const u_char *bp, /* beginning of sctp packet */ chunkDescPtr = (const struct sctpChunkDesc *) nextChunk, chunkCount++) { - u_short align; + u_int16_t chunkLength; const u_char *chunkEnd; + u_int16_t align; - chunkEnd = ((const u_char*)chunkDescPtr + EXTRACT_16BITS(&chunkDescPtr->chunkLength)); + TCHECK(*chunkDescPtr); + chunkLength = EXTRACT_16BITS(&chunkDescPtr->chunkLength); + if (chunkLength < sizeof(*chunkDescPtr)) { + printf("%s%d) [Bad chunk length %u]", sep, chunkCount+1, chunkLength); + break; + } - align=EXTRACT_16BITS(&chunkDescPtr->chunkLength) % 4; + TCHECK2(*(((u_int8_t *)chunkDescPtr) + chunkLength), chunkLength); + chunkEnd = ((const u_char*)chunkDescPtr + chunkLength); + + align=chunkLength % 4; if (align != 0) align = 4 - align; @@ -347,4 +350,9 @@ void sctp_print(const u_char *bp, /* beginning of sctp packet */ if (vflag < 2) sep = ", ("; } + return; + +trunc: + printf("[|sctp]"); + return; }