Pass the captured packet length in addition to the real packet length

to etherip_print() and do all the bounds checking with it. Also add
bounds checks to ether_print(). This fixes even more crashes.

ok canacar@

1 files changed, 4 insertions, 3 deletions

diff --git a/usr.sbin/tcpdump/print-ip.c b/usr.sbin/tcpdump/print-ip.c
index f0d9d4f40c4..685959f11de 100644
--- a/usr.sbin/tcpdump/print-ip.c
+++ b/usr.sbin/tcpdump/print-ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-ip.c,v 1.31 2006/05/29 20:41:41 moritz Exp $	*/
+/*	$OpenBSD: print-ip.c,v 1.32 2006/06/01 17:18:39 moritz Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ip.c,v 1.31 2006/05/29 20:41:41 moritz Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ip.c,v 1.32 2006/06/01 17:18:39 moritz Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
@@ -542,7 +542,8 @@ ip_print(register const u_char *bp, register u_int length)
 #define IPPROTO_ETHERIP	97
 #endif
 		case IPPROTO_ETHERIP:
-			etherip_print(cp, len, (const u_char *)ip);
+			etherip_print(cp, snapend - cp, len,
+			    (const u_char *)ip);
 			break;
 
 #ifndef	IPPROTO_IPCOMP