diff --git a/CREDITS b/CREDITS index 4923d496..2c0d2294 100644 --- a/CREDITS +++ b/CREDITS @@ -84,6 +84,7 @@ Additional people who have contributed patches: Marc A. Lehmann Mark Ellzey Thomas Marko Kiiskila + Markus Schöpflin Marshall Rose Martin Husemann Michael Madore diff --git a/print-isoclns.c b/print-isoclns.c index 06ed252e..c0427db5 100644 --- a/print-isoclns.c +++ b/print-isoclns.c @@ -26,7 +26,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.152 2005-09-20 10:04:26 hannes Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-isoclns.c,v 1.153 2005-10-16 08:17:52 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -1616,7 +1616,11 @@ static int isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) { char ident_buffer[20]; +#ifdef INET6 u_int8_t prefix[sizeof(struct in6_addr)]; /* shared copy buffer for IPv4 and IPv6 prefixes */ +#else + u_int8_t prefix[sizeof(struct in_addr)]; /* shared copy buffer for IPv4 prefixes */ +#endif u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen; if (!TTEST2(*tptr, 4)) @@ -1630,6 +1634,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi return (0); status_byte=*(tptr++); bit_length = status_byte&0x3f; + if (bit_length > 32) { + printf("%sIPv4 prefix: bad bit length %u", + ident, + bit_length); + return (0); + } processed++; #ifdef INET6 } else if (afi == IPV6) { @@ -1637,6 +1647,12 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi return (0); status_byte=*(tptr++); bit_length=*(tptr++); + if (bit_length > 128) { + printf("%sIPv6 prefix: bad bit length %u", + ident, + bit_length); + return (0); + } processed+=2; #endif } else @@ -1646,7 +1662,11 @@ isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi if (!TTEST2(*tptr, byte_length)) return (0); +#ifdef INET6 memset(prefix, 0, sizeof(struct in6_addr)); /* clear the copy buffer */ +#else + memset(prefix, 0, sizeof(struct in_addr)); /* clear the copy buffer */ +#endif memcpy(prefix,tptr,byte_length); /* copy as much as is stored in the TLV */ tptr+=byte_length; processed+=byte_length;