From Markus Schoepflin: don't use "struct in6_addr" if INET6 isn't

defined, because, in that case, "struct in6_addr" probably isn't defined, either. Check for too-large bit lengths in TLVs.
2024-11-23 10:04:05 +08:00 · 2005-10-16 08:17:51 +00:00 · 2005-10-16 08:17:51 +00:00 · 02c692dc72
commit 02c692dc72
parent 463199df7a
2 changed files with 22 additions and 1 deletions
--- a/1
+++ b/1
@ -84,6 +84,7 @@ Additional people who have contributed patches:
 	Marc A. Lehmann			<pcg@goof.com>
 	Mark Ellzey Thomas		<mark@ackers.net>
 	Marko Kiiskila			<carnil@cs.tut.fi>
+	Markus Schöpflin		<schoepflin@sourceforge.net>
 	Marshall Rose			<mrose@dbc.mtview.ca.us>
 	Martin Husemann			<martin@netbsd.org>
 	Michael Madore			<mmadore@turbolinux.com>
--- a/print-isoclns.c
+++ b/print-isoclns.c
@ -26,7 +26,7 @@

 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.152 2005-09-20 10:04:26 hannes Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.153 2005-10-16 08:17:52 guy Exp $ (LBL)";
 #endif

 #ifdef HAVE_CONFIG_H
@ -1616,7 +1616,11 @@ static int
 isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) {

    char ident_buffer[20];
+#ifdef INET6
    u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */
+#else
+    u_int8_t prefix[sizeof(struct in_addr)]; /* shared copy buffer for IPv4 prefixes */
+#endif
    u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen;

    if (!TTEST2(*tptr, 4))
@ -1630,6 +1634,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
            return (0);
        status_byte=*(tptr++);
        bit_length = status_byte&0x3f;
+        if (bit_length > 32) {
+            printf("%sIPv4 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }
        processed++;
 #ifdef INET6
    } else if (afi == IPV6) {
@ -1637,6 +1647,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
            return (0);
        status_byte=*(tptr++);
        bit_length=*(tptr++);
+        if (bit_length > 128) {
+            printf("%sIPv6 prefix: bad bit length %u",
+                   ident,
+                   bit_length);
+            return (0);
+        }
        processed+=2;
 #endif
    } else
@ -1646,7 +1662,11 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi
   
    if (!TTEST2(*tptr, byte_length))
        return (0);
+#ifdef INET6
    memset(prefix, 0, sizeof(struct in6_addr));              /* clear the copy buffer */
+#else
+    memset(prefix, 0, sizeof(struct in_addr));               /* clear the copy buffer */
+#endif
    memcpy(prefix,tptr,byte_length);    /* copy as much as is stored in the TLV */
    tptr+=byte_length;
    processed+=byte_length;