aboutsummaryrefslogtreecommitdiffstats
path: root/print-fr.c
diff options
context:
space:
mode:
authorPhilip Paeps <philip@FreeBSD.org>2019-10-06 04:36:53 +0000
committerPhilip Paeps <philip@FreeBSD.org>2019-10-06 04:36:53 +0000
commitf91036a44a189fa5d0b5f1c6dea0a396a0f928c0 (patch)
tree2cd0554d9f0826a4e0bc63c5e4ca83ece65bee24 /print-fr.c
parent810711ec13a9424633df50e0a1af057a68e2ed45 (diff)
downloadsrc-vendor/tcpdump.tar.gz
src-vendor/tcpdump.zip
Vendor import of tcpdump 4.9.3vendor/tcpdump
Notes
Notes: svn path=/vendor/tcpdump/dist/; revision=353144
Diffstat (limited to 'print-fr.c')
-rw-r--r--print-fr.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/print-fr.c b/print-fr.c
index 7181eb486e49..8a1a53a4914b 100644
--- a/print-fr.c
+++ b/print-fr.c
@@ -457,6 +457,10 @@ mfr_print(netdissect_options *ndo,
*/
ND_TCHECK2(*p, 4); /* minimum frame header length */
+ if (length < 4) {
+ ND_PRINT((ndo, "Message too short (%u bytes)", length));
+ return length;
+ }
if ((p[0] & MFR_BEC_MASK) == MFR_CTRL_FRAME && p[1] == 0) {
ND_PRINT((ndo, "FRF.16 Control, Flags [%s], %s, length %u",
@@ -493,6 +497,11 @@ mfr_print(netdissect_options *ndo,
switch (ie_type) {
case MFR_CTRL_IE_MAGIC_NUM:
+ /* FRF.16.1 Section 3.4.3 Magic Number Information Element */
+ if (ie_len != 4) {
+ ND_PRINT((ndo, "(invalid length)"));
+ break;
+ }
ND_PRINT((ndo, "0x%08x", EXTRACT_32BITS(tptr)));
break;