diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2024-04-01 09:42:14 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2024-04-04 08:07:05 +0000 |
| commit | 4848eb3af2a91b133c4b70cb9b71dd92ffec7f46 (patch) | |
| tree | cbeac07c4f43c98bf6aed82f6e7596a07cd67237 /contrib/tcpdump/print-pfsync.c | |
| parent | 41956c13f95004882e2080862e3158e820c8db33 (diff) | |
| download | src-4848eb3af2a91b133c4b70cb9b71dd92ffec7f46.tar.gz src-4848eb3af2a91b133c4b70cb9b71dd92ffec7f46.zip | |
tcpdump: cope with incorrect packet lengths
It's possible for the capture buffer to be smaller than indicated by the
header length. However, pfsync_print() only took the header length into
account. As a result we could read outside of the buffer.
Check that we have at least the expected amount of data before we start
parsing.
PR: 278034
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44580
Diffstat (limited to 'contrib/tcpdump/print-pfsync.c')
| -rw-r--r-- | contrib/tcpdump/print-pfsync.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/tcpdump/print-pfsync.c b/contrib/tcpdump/print-pfsync.c index 5710e36ded6c..6bf9abaf3903 100644 --- a/contrib/tcpdump/print-pfsync.c +++ b/contrib/tcpdump/print-pfsync.c @@ -86,7 +86,7 @@ pfsync_ip_print(netdissect_options *ndo , const u_char *bp, u_int len) { struct pfsync_header *hdr = (struct pfsync_header *)bp; - if (len < PFSYNC_HDRLEN) + if (len < PFSYNC_HDRLEN || !ND_TTEST_LEN(bp, len)) ND_PRINT("[|pfsync]"); else pfsync_print(ndo, hdr, bp + sizeof(struct pfsync_header), |