From 121cd17c7dc1fb0ae2dd0e2e823b4824530314e0 Mon Sep 17 00:00:00 2001 From: Francois-Xavier Le Bail Date: Sun, 28 Nov 2021 10:57:14 +0100 Subject: ZEP: Add three length checks --- print-zep.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'print-zep.c') diff --git a/print-zep.c b/print-zep.c index e10ecb35..fd74368c 100644 --- a/print-zep.c +++ b/print-zep.c @@ -123,6 +123,7 @@ zep_print(netdissect_options *ndo, if (version == 1) { /* ZEP v1 packet. */ + ND_LCHECK_U(len, 16); ND_PRINT("Channel ID %u, Device ID 0x%04x, ", GET_U_1(bp + 3), GET_BE_U_2(bp + 4)); if (GET_U_1(bp + 6)) @@ -138,6 +139,7 @@ zep_print(netdissect_options *ndo, /* ZEP v2 packet. */ if (GET_U_1(bp + 3) == 2) { /* ZEP v2 ack. */ + ND_LCHECK_U(len, 8); seq_no = GET_BE_U_4(bp + 4); ND_PRINT("ACK, seq# = %u", seq_no); inner_len = 0; @@ -145,6 +147,7 @@ zep_print(netdissect_options *ndo, len -= 8; } else { /* ZEP v2 data, or some other. */ + ND_LCHECK_U(len, 32); ND_PRINT("Type %u, Channel ID %u, Device ID 0x%04x, ", GET_U_1(bp + 3), GET_U_1(bp + 4), GET_BE_U_2(bp + 5)); @@ -175,4 +178,7 @@ zep_print(netdissect_options *ndo, if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(bp, len); + return; +invalid: + nd_print_invalid(ndo); } -- cgit v1.2.1