diff options
author | Moritz Jodeit <moritz@cvs.openbsd.org> | 2006-06-01 17:18:40 +0000 |
---|---|---|
committer | Moritz Jodeit <moritz@cvs.openbsd.org> | 2006-06-01 17:18:40 +0000 |
commit | 20a0adaeca0f855aeec2f211238d2942d6b8b172 (patch) | |
tree | f533d45662d2fb2004263a1fc7f24a4216033a17 /usr.sbin/tcpdump/print-etherip.c | |
parent | 100d3e771f75cef554d5a7e06ce316d5caf90e9a (diff) |
Pass the captured packet length in addition to the real packet length
to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.
ok canacar@
Diffstat (limited to 'usr.sbin/tcpdump/print-etherip.c')
-rw-r--r-- | usr.sbin/tcpdump/print-etherip.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/usr.sbin/tcpdump/print-etherip.c b/usr.sbin/tcpdump/print-etherip.c index 653dbf655bb..0c3faa1a108 100644 --- a/usr.sbin/tcpdump/print-etherip.c +++ b/usr.sbin/tcpdump/print-etherip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-etherip.c,v 1.3 2006/05/29 18:05:22 moritz Exp $ */ +/* $OpenBSD: print-etherip.c,v 1.4 2006/06/01 17:18:39 moritz Exp $ */ /* * Copyright (c) 2001 Jason L. Wright (jason@thought.net) @@ -32,7 +32,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-etherip.c,v 1.3 2006/05/29 18:05:22 moritz Exp $"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-etherip.c,v 1.4 2006/06/01 17:18:39 moritz Exp $"; #endif #include <sys/param.h> @@ -64,12 +64,12 @@ static const char rcsid[] = extern u_short extracted_ethertype; void -etherip_print(const u_char *bp, u_int len, const u_char *bp2) +etherip_print(const u_char *bp, u_int caplen, u_int len, const u_char *bp2) { const struct ip *ip = (const struct ip *)bp2; struct ether_header *eh; const u_char *pbuf = bp; - u_int plen = len, hlen; + u_int plen = caplen, hlen; u_int16_t etype; if (plen < sizeof(struct etherip_header)) { @@ -100,22 +100,32 @@ etherip_print(const u_char *bp, u_int len, const u_char *bp2) printf(": "); + if (plen < hlen) { + printf("[|etherip]"); + return; + } pbuf += hlen; plen -= hlen; + len -= hlen; if (eflag) - ether_print(pbuf, plen); + ether_print(pbuf, len); eh = (struct ether_header *)pbuf; + if (plen < sizeof(struct ether_header)) { + printf("[|ether]"); + return; + } etype = EXTRACT_16BITS(pbuf + offsetof(struct ether_header, ether_type)); pbuf += sizeof(struct ether_header); plen -= sizeof(struct ether_header); + len -= sizeof(struct ether_header); /* XXX LLC? */ extracted_ethertype = 0; if (etype <= ETHERMTU) { - if (llc_print(pbuf, plen, plen, ESRC(eh), EDST(eh)) == 0) { + if (llc_print(pbuf, len, plen, ESRC(eh), EDST(eh)) == 0) { if (!eflag) - ether_print((u_char *)eh, plen); + ether_print((u_char *)eh, len); if (extracted_ethertype) { printf("LLC %s", etherproto_string(htons(extracted_ethertype))); @@ -123,9 +133,9 @@ etherip_print(const u_char *bp, u_int len, const u_char *bp2) if (!xflag && !qflag) default_print(pbuf, plen); } - } else if (ether_encap_print(etype, pbuf, plen, plen) == 0) { + } else if (ether_encap_print(etype, pbuf, len, plen) == 0) { if (!eflag) - ether_print((u_char *)eh, plen + sizeof(*eh)); + ether_print((u_char *)eh, len + sizeof(*eh)); if (!xflag && !qflag) default_print(pbuf, plen); } |