From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 15 Sep 2017 15:32:17 +0000 (+0100)
Subject: (for 4.9.3) FRF.16: Add a missing length check.
X-Git-Tag: tcpdump-4.9.3~86
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/e5ae1fd2c5d86277e76ec901ed5f311df731caff

(for 4.9.3) FRF.16: Add a missing length check.

At the beginning of mfr_print() check the declared length too, not just
the size of the input buffer. This should make further length-based
decoding more correct.

Found by code inspection hence there is no test case at this time.
---

diff --git a/print-fr.c b/print-fr.c
index 53f37f68..8a1a53a4 100644
--- a/print-fr.c
+++ b/print-fr.c
@@ -457,6 +457,10 @@ mfr_print(netdissect_options *ndo,
  */
 
     ND_TCHECK2(*p, 4); /* minimum frame header length */
+    if (length < 4) {
+        ND_PRINT((ndo, "Message too short (%u bytes)", length));
+        return length;
+    }
 
     if ((p[0] & MFR_BEC_MASK) == MFR_CTRL_FRAME && p[1] == 0) {
         ND_PRINT((ndo, "FRF.16 Control, Flags [%s], %s, length %u",