nhrp: fix infinite loop on malformed packets.

If a CIE doesn't fit in the remainder of the mandatory part, return the length of that remainder, so that the loop processing the CIE terminates. Add capture that produced the infinite loop.
author: Guy Harris <gharris@sonic.net> 2023-04-25 13:37:56 -0700
committer: Guy Harris <gharris@sonic.net> 2023-04-25 13:37:56 -0700
commit: f305b205c5678bfc675ba7f9578343f6ab204899 (patch)
tree: 8bea828346c37bd797ce56c3fa6f0d5b97403e64 /print-nhrp.c
parent: 5c13f551fa9b08396f4b385c6b16447f718a518b (diff)
download: tcpdump-f305b205c5678bfc675ba7f9578343f6ab204899.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/print-nhrp.c b/print-nhrp.c
index 800d5c53..6947a7ca 100644
--- a/print-nhrp.c
+++ b/print-nhrp.c
@@ -480,5 +480,15 @@ nhrp_print_cie(netdissect_options *ndo, const u_char *data, uint16_t mand_part_l
 
 invalid:
 	nd_print_invalid(ndo);
+
+	/*
+	 * We get here because this CIE goes past thE remaining length,
+	 * of the mandatory part.  We've reported that error; we now
+	 * assignt he insufficnetly-large remaining piece of the
+	 * mandatory part to this CIE, so that this CIE finishes up
+	 * the mandatory part, and the loop processing the CIEs
+	 * terminates.  There cannot be any CIEs after this one.
+	 */
+	cie_len += mand_part_len;
 	return (cie_len);
 }
author	Guy Harris <gharris@sonic.net>	2023-04-25 13:37:56 -0700
committer	Guy Harris <gharris@sonic.net>	2023-04-25 13:37:56 -0700
commit	f305b205c5678bfc675ba7f9578343f6ab204899 (patch)
tree	8bea828346c37bd797ce56c3fa6f0d5b97403e64 /print-nhrp.c
parent	5c13f551fa9b08396f4b385c6b16447f718a518b (diff)
download	tcpdump-f305b205c5678bfc675ba7f9578343f6ab204899.tar.gz