From: guy Date: Wed, 24 Mar 2004 00:41:13 +0000 (+0000) Subject: Add bounds checking. X-Git-Tag: tcpdump-3.9.1~435 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/d3d90f29e50f07c62e58b30016bf169fc96e5b54 Add bounds checking. --- diff --git a/print-cdp.c b/print-cdp.c index b65d48eb..a0cdf2a3 100644 --- a/print-cdp.c +++ b/print-cdp.c @@ -26,7 +26,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-cdp.c,v 1.22 2003-12-29 19:26:28 hannes Exp $"; + "@(#) $Header: /tcpdump/master/tcpdump/print-cdp.c,v 1.23 2004-03-24 00:41:13 guy Exp $"; #endif #ifdef HAVE_CONFIG_H @@ -247,12 +247,14 @@ cdp_print_addr(const u_char * p, int l) p += 4; while (p < endp && num >= 0) { + TCHECK2(p, 2); if (p + 2 > endp) goto trunc; pt = p[0]; /* type of "protocol" field */ pl = p[1]; /* length of "protocol" field */ p += 2; + TCHECK2(p[pl], 2); if (p + pl + 2 > endp) goto trunc; al = EXTRACT_16BITS(&p[pl]); /* address length */ @@ -265,6 +267,7 @@ cdp_print_addr(const u_char * p, int l) */ p += 3; + TCHECK2(*p, 4); if (p + 4 > endp) goto trunc; printf("IPv4 (%u) %s", @@ -282,6 +285,7 @@ cdp_print_addr(const u_char * p, int l) * Ethertype, address length = 16 */ p += 10; + TCHECK2(*p, al); if (p + al > endp) goto trunc; @@ -295,16 +299,19 @@ cdp_print_addr(const u_char * p, int l) /* * Generic case: just print raw data */ + TCHECK2(*p, pl); if (p + pl > endp) goto trunc; printf("pt=0x%02x, pl=%d, pb=", *(p - 2), pl); while (pl-- > 0) printf(" %02x", *p++); + TCHECK2(*p, 2); if (p + 2 > endp) goto trunc; al = (*p << 8) + *(p + 1); printf(", al=%d, a=", al); p += 2; + TCHECK2(*p, al); if (p + al > endp) goto trunc; while (al-- > 0) diff --git a/print-chdlc.c b/print-chdlc.c index 324cbffd..ec5855a2 100644 --- a/print-chdlc.c +++ b/print-chdlc.c @@ -21,7 +21,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-chdlc.c,v 1.30 2003-11-16 09:36:16 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-chdlc.c,v 1.31 2004-03-24 00:45:39 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -140,12 +140,11 @@ chdlc_slarp_print(const u_char *cp, u_int length) { const struct cisco_slarp *slarp; - if (length < SLARP_LEN) { - printf("[|slarp]"); - return; - } + if (length < SLARP_LEN) + goto trunc; slarp = (const struct cisco_slarp *)cp; + TCHECK(*slarp); printf("SLARP (length: %u), ",length); switch (EXTRACT_32BITS(&slarp->code)) { case SLARP_REQUEST: @@ -178,4 +177,8 @@ chdlc_slarp_print(const u_char *cp, u_int length) printf(", (trailing junk: %d bytes)", length - SLARP_LEN); if (vflag > 1) print_unknown_data(cp+4,"\n\t",length-4); + return; + +trunc: + printf("[|slarp]"); }