From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 24 Nov 2017 20:22:07 +0000 (-0800)
Subject: Fix lcpconfopts[] bounds check.
X-Git-Tag: tcpdump-4.99-bp~1710
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/c511f4c3be6273b25b0d1802eee2ede3d69b2398

Fix lcpconfopts[] bounds check.

The subscript is unsigned, so it's guaranteed to be >= 0.  It should
thus be checked against the size of the array, not against some other
---

diff --git a/print-ppp.c b/print-ppp.c
index 3ab4c96d..d17420f5 100644
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -179,9 +179,6 @@ static const struct tok cpcodes[] = {
 #define LCPOPT_SDLOS	29
 #define LCPOPT_PPPMUX	30
 
-#define LCPOPT_MIN LCPOPT_VEXT
-#define LCPOPT_MAX LCPOPT_PPPMUX
-
 static const char *lcpconfopts[] = {
 	"Vend-Ext",		/* (0) */
 	"MRU",			/* (1) */
@@ -216,6 +213,8 @@ static const char *lcpconfopts[] = {
 	"PPP-Muxing",		/* (30) */
 };
 
+#define NUM_LCPOPTS	(sizeof lcpconfopts / sizeof lcpconfopts[0])
+
 /* ECP - to be supported */
 
 /* CCP Config Options */
@@ -604,14 +603,14 @@ print_lcp_config_options(netdissect_options *ndo,
 	if (length < len)
 		return 0;
 	if (len < 2) {
-		if ((opt >= LCPOPT_MIN) && (opt <= LCPOPT_MAX))
+		if (opt < NUM_LCPOPTS)
 			ND_PRINT((ndo, "\n\t  %s Option (0x%02x), length %u (length bogus, should be >= 2)",
 			          lcpconfopts[opt], opt, len));
 		else
 			ND_PRINT((ndo, "\n\tunknown LCP option 0x%02x", opt));
 		return 0;
 	}
-	if ((opt >= LCPOPT_MIN) && (opt <= LCPOPT_MAX))
+	if (opt < NUM_LCPOPTS)
 		ND_PRINT((ndo, "\n\t  %s Option (0x%02x), length %u", lcpconfopts[opt], opt, len));
 	else {
 		ND_PRINT((ndo, "\n\tunknown LCP option 0x%02x", opt));