diff options
| author | Patrick Kelsey <pkelsey@FreeBSD.org> | 2015-07-08 16:19:32 +0000 |
|---|---|---|
| committer | Patrick Kelsey <pkelsey@FreeBSD.org> | 2015-07-08 16:19:32 +0000 |
| commit | 8bdc5a6251ddffc81a013f36b4384c8ace9c4bec (patch) | |
| tree | f0c2243cc0a2a59f3eb1354ba3987d4cbcb788bc /contrib/tcpdump/print-mobility.c | |
| parent | 6bae05d951855544018d42bbf8c04f3ceea630b8 (diff) | |
| parent | 7041091186ddb72670e3e2d8254859ed31d3f2e6 (diff) | |
| download | src-8bdc5a6251ddffc81a013f36b4384c8ace9c4bec.tar.gz src-8bdc5a6251ddffc81a013f36b4384c8ace9c4bec.zip | |
MFV r285191: tcpdump 4.7.4.
Also, the changes made in r272451 and r272653 that were lost in the
merge of 4.6.2 (r276788) have been restored.
PR: 199568
Differential Revision: https://reviews.freebsd.org/D3007
Reviewed by: brooks, hiren
Approved by: jmallett (mentor)
MFC after: 1 month
Notes
Notes:
svn path=/head/; revision=285275
Diffstat (limited to 'contrib/tcpdump/print-mobility.c')
| -rw-r--r-- | contrib/tcpdump/print-mobility.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/contrib/tcpdump/print-mobility.c b/contrib/tcpdump/print-mobility.c index 83447cff15d4..b6fa61e9dc74 100644 --- a/contrib/tcpdump/print-mobility.c +++ b/contrib/tcpdump/print-mobility.c @@ -69,6 +69,18 @@ struct ip6_mobility { #define IP6M_BINDING_UPDATE 5 /* Binding Update */ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */ #define IP6M_BINDING_ERROR 7 /* Binding Error */ +#define IP6M_MAX 7 + +static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = { + IP6M_MINLEN, /* IP6M_BINDING_REQUEST */ + IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */ + IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */ + IP6M_MINLEN + 16, /* IP6M_HOME_TEST */ + IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */ + IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */ + IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */ + IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR */ +}; /* XXX: unused */ #define IP6MOPT_BU_MINLEN 10 @@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo, unsigned i, optlen; for (i = 0; i < len; i += optlen) { + ND_TCHECK(bp[i]); if (bp[i] == IP6MOPT_PAD1) optlen = 1; else { - if (i + 1 < len) + if (i + 1 < len) { + ND_TCHECK(bp[i + 1]); optlen = bp[i + 1] + 2; + } else goto trunc; } if (i + optlen > len) goto trunc; + ND_TCHECK(bp[i + optlen]); switch (bp[i]) { case IP6MOPT_PAD1: @@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo, ND_TCHECK(mh->ip6m_type); type = mh->ip6m_type; + if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) { + ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type)); + goto trunc; + } switch (type) { case IP6M_BINDING_REQUEST: ND_PRINT((ndo, "mobility: BRR")); |