Have routines that set the snapend take a buffer pointer and length as args.

Have nd_push_buffer() take a snapshot length, not a snapshot end, as
its last argument.

Replace nd_push_snapend() and nd_change_snapend() with nd_push_snaplen()
and nd_change_snaplen(), both of which take a pointer into the packet
buffer and snapshot length relative to that pointer as arguments.  Have
those routines check the snapshot length to make sure it's not bigger
than the number of bytes in the packet past the pointer, and silently
ignore the requst if it is.

Using a length rather than a pointer avoids the possibility of the
calculation of the snapshot end overflowing and resulting in a snapshot
end *before* the point in the buffer.

Add a test for this, with a capture file containing an IPv6 packet with
an extremely large "jumbo" packet size.

Revert the "Make sure we don't set the snapend before the beginning of
the packet." changes, as they no longer apply with this change (which
also makes sure we don't set the snapend before the beginning of the
packet).

1 files changed, 1 insertions, 0 deletions

diff --git a/tests/ipv6-too-long-jumbo.out b/tests/ipv6-too-long-jumbo.out
new file mode 100644
index 00000000..c5ccb838
--- /dev/null
+++ b/tests/ipv6-too-long-jumbo.out
@@ -0,0 +1 @@
+    1  12:40:23.226395 IP6 (class 0xc0, hlim 0, next-header Options (0) payload length: 0) 1:6:1a28:312:d7cb:b318:34e5:d3ea > 2b7f:cd1f:ec3c:fb9c:e731:d16b:a8fe:ba8c: HBH (opt_type 0x1a: len=0)(padn)(opt_type 0x16: len=0)(opt_type 0x64: len=114)(jumbo: 3858694210) (opt_type 0x42: len=3)(opt_type 0xfe: len=6)(pad1)(jumbo: 248 - already seen) (opt_type 0x0e: len=8)(opt_type 0x07: len=4)(opt_type 0xf1: len=60) truncated-ip6 - 3858693774 bytes missing! ip-proto-12 3858693802