On 2015/11/03 20:04, Kevin Reay wrote:
> Fix a segfault in the GRE printer when a GRE packet SRE length
> extends past the actual captured length (but not the packet's
> original length).
That's OK with me..
> gre_print() now checks if the length extends past snapend and, if so,
> uses the snapend to determine the usable length.
>
> Also includes a small change to use the already defined GRE_VERS
> instead of a hardcoded mask.
>
> Note that the GRE printer does its own length testing. It would
> probably be better to migrate it to use the TCHECK* functions instead
> of the manual length check logic it's doing now.
> Index: print-gre.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 print-gre.c
> --- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9
> +++ print-gre.c 4 Nov 2015 02:52:41 -0000
> @@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length
> {
> u_int len = length, vers;
>
> + if (bp + len > snapend)
> + len = snapend - bp;
> +
> if (len < 2) {
> printf("[|gre]");
> return;
> }
> - vers = EXTRACT_16BITS(bp) & 7;
> + vers = EXTRACT_16BITS(bp) & GRE_VERS;
>
> if (vers == 0)
> gre_print_0(bp, len);