Stuart Henderson <st...@openbsd.org> writes:
> On 2015/11/03 20:04, Kevin Reay wrote:
>> Fix a segfault in the GRE printer when a GRE packet SRE length
>> extends past the actual captured length (but not the packet's
>> original length).
>
> That's OK with me..
Committed, thanks Kevin.
>> gre_print() now checks if the length extends past snapend and, if so,
>> uses the snapend to determine the usable length.
>>
>> Also includes a small change to use the already defined GRE_VERS
>> instead of a hardcoded mask.
>>
>> Note that the GRE printer does its own length testing. It would
>> probably be better to migrate it to use the TCHECK* functions instead
>> of the manual length check logic it's doing now.
Sounds right.
>> Index: print-gre.c
>> ===================================================================
>> RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v
>> retrieving revision 1.9
>> diff -u -p -r1.9 print-gre.c
>> --- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9
>> +++ print-gre.c 4 Nov 2015 02:52:41 -0000
>> @@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length
>> {
>> u_int len = length, vers;
>>
>> + if (bp + len > snapend)
>> + len = snapend - bp;
>> +
>> if (len < 2) {
>> printf("[|gre]");
>> return;
>> }
>> - vers = EXTRACT_16BITS(bp) & 7;
>> + vers = EXTRACT_16BITS(bp) & GRE_VERS;
>>
>> if (vers == 0)
>> gre_print_0(bp, len);
>
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
