diff options
author | Guy Harris <gharris@sonic.net> | 2023-04-25 13:37:56 -0700 |
---|---|---|
committer | Guy Harris <gharris@sonic.net> | 2023-04-25 13:37:56 -0700 |
commit | f305b205c5678bfc675ba7f9578343f6ab204899 (patch) | |
tree | 8bea828346c37bd797ce56c3fa6f0d5b97403e64 /print-nhrp.c | |
parent | 5c13f551fa9b08396f4b385c6b16447f718a518b (diff) | |
download | tcpdump-f305b205c5678bfc675ba7f9578343f6ab204899.tar.gz |
nhrp: fix infinite loop on malformed packets.
If a CIE doesn't fit in the remainder of the mandatory part, return the
length of that remainder, so that the loop processing the CIE
terminates.
Add capture that produced the infinite loop.
Diffstat (limited to 'print-nhrp.c')
-rw-r--r-- | print-nhrp.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/print-nhrp.c b/print-nhrp.c index 800d5c53..6947a7ca 100644 --- a/print-nhrp.c +++ b/print-nhrp.c @@ -480,5 +480,15 @@ nhrp_print_cie(netdissect_options *ndo, const u_char *data, uint16_t mand_part_l invalid: nd_print_invalid(ndo); + + /* + * We get here because this CIE goes past thE remaining length, + * of the mandatory part. We've reported that error; we now + * assignt he insufficnetly-large remaining piece of the + * mandatory part to this CIE, so that this CIE finishes up + * the mandatory part, and the loop processing the CIEs + * terminates. There cannot be any CIEs after this one. + */ + cie_len += mand_part_len; return (cie_len); } |