TCP: Add a bounds check before decoding the payload

At least the header data is required.

Moreover:
Update the output of a test accordingly.
Fix indentation.

1 files changed, 13 insertions, 2 deletions

diff --git a/print-tcp.c b/print-tcp.c
index 0d62c4a9..12d24b5c 100644
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -173,6 +173,7 @@ tcp_print(netdissect_options *ndo,
         uint16_t magic;
         int rev;
         const struct ip6_hdr *ip6;
+        u_int header_len;	/* Header length in bytes */
 
         ndo->ndo_protocol = "tcp";
         tp = (const struct tcphdr *)bp;
@@ -612,7 +613,7 @@ tcp_print(netdissect_options *ndo,
                                 break;
 
                         case TCPOPT_MPTCP:
-			    {
+                            {
                                 const u_char *snapend_save;
                                 int ret;
 
@@ -704,7 +705,17 @@ tcp_print(netdissect_options *ndo,
         /*
          * Decode payload if necessary.
          */
-        bp += TH_OFF(tp) * 4;
+        header_len = TH_OFF(tp) * 4;
+        /*
+         * Do a bounds check before decoding the payload.
+         * At least the header data is required.
+         */
+        if (!ND_TTEST_LEN(bp, header_len)) {
+                ND_PRINT(" [remaining caplen(%u) < header length(%u)]",
+                         ND_BYTES_AVAILABLE_AFTER(bp), header_len);
+                nd_trunc_longjmp(ndo);
+        }
+        bp += header_len;
         if ((flags & TH_RST) && ndo->ndo_vflag) {
                 print_tcp_rst_data(ndo, bp, length);
                 return;