From 6283c99a5196cb97399ca68f8793db6fde00b6af Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 4 Aug 2017 21:57:55 +0100
Subject: [PATCH] Rx: add a missing bounds check for callbacks

Add a bounds check to cb_print(), this likely makes the same type of
bugfix as the previous commit but comes without a test case as the
problem was identified through code review.

Add a comment about bounds check to ubik_print().
---
 print-rx.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/print-rx.c b/print-rx.c
index 741d3043..bed89484 100644
--- a/print-rx.c
+++ b/print-rx.c
@@ -1262,6 +1262,7 @@ cb_print(netdissect_options *ndo,
 			if (j == 0)
 				ND_PRINT((ndo, " <none!>"));
 
+			ND_TCHECK_32BITS(bp);
 			j = EXTRACT_32BITS(bp);
 			bp += sizeof(int32_t);
 
@@ -2533,6 +2534,10 @@ ubik_print(netdissect_options *ndo,
 	 * gleaned from ubik/ubik_int.xg
 	 */
 
+	/* Every function that calls this function first makes a bounds check
+	 * for (sizeof(rx_header) + 4) bytes, so long as it remains this way
+	 * the line below will not over-read.
+	 */
 	ubik_op = EXTRACT_32BITS(bp + sizeof(struct rx_header));
 
 	ND_PRINT((ndo, " ubik call %s", tok2str(ubik_req, "op#%d", ubik_op)));