Check for a too-small NBP length before subtracting the header size

(from OpenBSD's "print-atalk.c").
2025-01-21 15:18:15 +08:00 · 2002-02-05 10:03:34 +00:00 · 2002-02-05 10:03:34 +00:00 · d47c1a036a
commit d47c1a036a
parent b654029413
1 changed files with 14 additions and 1 deletions
--- a/print-atalk.c
+++ b/print-atalk.c
@ -23,7 +23,7 @@

 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-atalk.c,v 1.70 2001-11-15 08:23:12 itojun Exp $ (LBL)";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-atalk.c,v 1.71 2002-02-05 10:03:34 guy Exp $ (LBL)";
 #endif

 #ifdef HAVE_CONFIG_H
@ -112,6 +112,14 @@ llap_print(register const u_char *bp, u_int length)
 	register const struct atShortDDP *sdp;
 	u_short snet;

+	/*
+	 * Our packet is on a 4-byte boundary, as we're either called
+	 * directly from a top-level link-layer printer (ltalk_if_print)
+	 * or from the UDP printer.  The LLAP+DDP header is a multiple
+	 * of 4 bytes in length, so the DDP payload is also on a 4-byte
+	 * boundary, and we don't need to align it before calling
+	 * "ddp_print()".
+	 */
 	lp = (const struct LAP *)bp;
 	bp += sizeof(*lp);
 	length -= sizeof(*lp);
@ -394,6 +402,11 @@ nbp_print(register const struct atNBP *np, u_int length, register u_short snet,
 	int i;
 	const u_char *ep;

+	if (length < nbpHeaderSize) {
+		(void)printf(" truncated-nbp %d", length);
+		return;
+	}
+
 	length -= nbpHeaderSize;
 	if (length < 8) {
 		/* must be room for at least one tuple */