diff options
author | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2021-02-12 21:49:40 +0100 |
---|---|---|
committer | Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> | 2021-02-12 21:58:20 +0100 |
commit | 57577610721997e4721c0d02b7860ef31cc399ba (patch) | |
tree | c5a3a913a5ec02879844018b9acf2e7c23636716 /print-tcp.c | |
parent | 1fb5643f91a91fe00428a6a0a0c256ba0fd2ad59 (diff) | |
download | tcpdump-57577610721997e4721c0d02b7860ef31cc399ba.tar.gz |
TCP: Add a bounds check before decoding the payload
At least the header data is required.
Moreover:
Update the output of a test accordingly.
Fix indentation.
Diffstat (limited to 'print-tcp.c')
-rw-r--r-- | print-tcp.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/print-tcp.c b/print-tcp.c index 0d62c4a9..12d24b5c 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -173,6 +173,7 @@ tcp_print(netdissect_options *ndo, uint16_t magic; int rev; const struct ip6_hdr *ip6; + u_int header_len; /* Header length in bytes */ ndo->ndo_protocol = "tcp"; tp = (const struct tcphdr *)bp; @@ -612,7 +613,7 @@ tcp_print(netdissect_options *ndo, break; case TCPOPT_MPTCP: - { + { const u_char *snapend_save; int ret; @@ -704,7 +705,17 @@ tcp_print(netdissect_options *ndo, /* * Decode payload if necessary. */ - bp += TH_OFF(tp) * 4; + header_len = TH_OFF(tp) * 4; + /* + * Do a bounds check before decoding the payload. + * At least the header data is required. + */ + if (!ND_TTEST_LEN(bp, header_len)) { + ND_PRINT(" [remaining caplen(%u) < header length(%u)]", + ND_BYTES_AVAILABLE_AFTER(bp), header_len); + nd_trunc_longjmp(ndo); + } + bp += header_len; if ((flags & TH_RST) && ndo->ndo_vflag) { print_tcp_rst_data(ndo, bp, length); return; |