Hi, When using -X/-x/-A with tcpdump on a packet where sizeof(*uph) is larger than 'length' we end up passing a negative value as the length to default_print(), which wraps around and suddenly we're attempting to print 4294976281 elements. Found with AFL.
OK? Index: print-usbpcap.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/print-usbpcap.c,v retrieving revision 1.2 diff -u -p -r1.2 print-usbpcap.c --- print-usbpcap.c 12 Feb 2020 20:07:55 -0000 1.2 +++ print-usbpcap.c 21 Feb 2020 16:11:45 -0000 @@ -40,7 +40,7 @@ usbpcap_if_print(u_char *user, const str ts_print(&h->ts); /* check length */ - if (caplen < sizeof(uint16_t)) + if (caplen < sizeof(uint16_t) || length < sizeof(*uph)) goto trunc; uph = (struct usbpcap_pkt_hdr *)p; -- jasper