diff options
| author | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2020-10-26 23:19:19 +0000 |
|---|---|---|
| committer | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2020-10-26 23:19:19 +0000 |
| commit | 06066e071bb3a2ea493b0c3b43fc68c9580631da (patch) | |
| tree | 89769d023215ad5f63952970a4c7f0c451844a56 | |
| parent | a483328bd79c87f28d71a25b795738756e81e7a1 (diff) | |
Fix parsing GTP packets with invalid extended headers.
In GTP a zero extended header length is invalid, deal with this instead
of looping forever.
Report and fix by Peter J. Philipp, tweaked by me, ok kn@
| -rw-r--r-- | usr.sbin/tcpdump/print-gtp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/tcpdump/print-gtp.c b/usr.sbin/tcpdump/print-gtp.c index c1c295d02cb..c21db86fe1e 100644 --- a/usr.sbin/tcpdump/print-gtp.c +++ b/usr.sbin/tcpdump/print-gtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-gtp.c,v 1.12 2020/05/20 01:20:37 dlg Exp $ */ +/* $OpenBSD: print-gtp.c,v 1.13 2020/10/26 23:19:18 jca Exp $ */ /* * Copyright (c) 2009, 2010 Joel Sing <jsing@openbsd.org> * @@ -927,6 +927,11 @@ gtp_v1_print(const u_char *cp, u_int length, u_short sport, u_short dport) /* Header length is a 4 octet multiplier. */ hlen = (int)p[0] * 4; + if (hlen == 0) { + printf(" [Invalid zero-length header %u]", + nexthdr); + goto trunc; + } TCHECK2(p[0], hlen); switch (nexthdr) { |