From 259cb9ad02e8624353be599a8ec6181d20a34f3d Mon Sep 17 00:00:00 2001 From: guy Date: Wed, 19 Nov 2003 09:42:04 +0000 Subject: Add missing bounds checking to the DVMRP and PIM print routines. Instead of checking that there are 8 bytes available at the beginning of an IGMP packet - which there might not be, e.g. with some DVMRP packets - do the checks as necessary before fetching values. --- print-igmp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'print-igmp.c') diff --git a/print-igmp.c b/print-igmp.c index 37663590..b0f9fc45 100644 --- a/print-igmp.c +++ b/print-igmp.c @@ -21,7 +21,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-igmp.c,v 1.13 2003-11-16 09:36:23 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-igmp.c,v 1.14 2003-11-19 09:42:04 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -218,6 +218,7 @@ print_igmpv3_query(register const u_char *bp, register u_int len) (void)printf(" [invalid len %d]", len); return; } + TCHECK(bp[1]); mrc = bp[1]; if (mrc < 128) { mrt = mrc; @@ -263,19 +264,21 @@ igmp_print(register const u_char *bp, register u_int len) return; } - TCHECK2(bp[0], 8); + TCHECK(bp[0]); switch (bp[0]) { case 0x11: (void)printf("igmp query"); if (len >= 12) print_igmpv3_query(bp, len); else { + TCHECK(bp[1]); if (bp[1]) { (void)printf(" v2"); if (bp[1] != 100) (void)printf(" [max resp time %d]", bp[1]); } else (void)printf(" v1"); + TCHECK2(bp[4], 4); if (EXTRACT_32BITS(&bp[4])) (void)printf(" [gaddr %s]", ipaddr_string(&bp[4])); if (len != 8) @@ -283,11 +286,13 @@ igmp_print(register const u_char *bp, register u_int len) } break; case 0x12: + TCHECK2(bp[4], 4); (void)printf("igmp v1 report %s", ipaddr_string(&bp[4])); if (len != 8) (void)printf(" [len %d]", len); break; case 0x16: + TCHECK2(bp[4], 4); (void)printf("igmp v2 report %s", ipaddr_string(&bp[4])); break; case 0x22: -- cgit v1.2.1