Stuart Henderson <st...@openbsd.org> writes: > On 2015/11/03 20:04, Kevin Reay wrote: >> Fix a segfault in the GRE printer when a GRE packet SRE length >> extends past the actual captured length (but not the packet's >> original length). > > That's OK with me..
Committed, thanks Kevin. >> gre_print() now checks if the length extends past snapend and, if so, >> uses the snapend to determine the usable length. >> >> Also includes a small change to use the already defined GRE_VERS >> instead of a hardcoded mask. >> >> Note that the GRE printer does its own length testing. It would >> probably be better to migrate it to use the TCHECK* functions instead >> of the manual length check logic it's doing now. Sounds right. >> Index: print-gre.c >> =================================================================== >> RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v >> retrieving revision 1.9 >> diff -u -p -r1.9 print-gre.c >> --- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9 >> +++ print-gre.c 4 Nov 2015 02:52:41 -0000 >> @@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length >> { >> u_int len = length, vers; >> >> + if (bp + len > snapend) >> + len = snapend - bp; >> + >> if (len < 2) { >> printf("[|gre]"); >> return; >> } >> - vers = EXTRACT_16BITS(bp) & 7; >> + vers = EXTRACT_16BITS(bp) & GRE_VERS; >> >> if (vers == 0) >> gre_print_0(bp, len); > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE