aboutsummaryrefslogtreecommitdiffstats
path: root/print-rsvp.c
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2017-09-18 04:10:54 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2017-09-18 04:10:54 +0000
commit4533b6d8a9b95fc043b72b3656b98e79ac839041 (patch)
tree4ac156eafa4323886af859c09363dff43cc44106 /print-rsvp.c
parentd79b843cb78484ea27f877f1541055e1a6a5a4d3 (diff)
downloadsrc-4533b6d8a9b95fc043b72b3656b98e79ac839041.tar.gz
src-4533b6d8a9b95fc043b72b3656b98e79ac839041.zip
Vendor import of tcpdump 4.9.2.vendor/tcpdump/4.9.2
Approved by: emaste (mentor)
Notes
Notes: svn path=/vendor/tcpdump/dist/; revision=323696 svn path=/vendor/tcpdump/4.9.2/; revision=323697; tag=vendor/tcpdump/4.9.2
Diffstat (limited to 'print-rsvp.c')
-rw-r--r--print-rsvp.c24
1 files changed, 21 insertions, 3 deletions
diff --git a/print-rsvp.c b/print-rsvp.c
index be3dfa30b362..93b4b6529f90 100644
--- a/print-rsvp.c
+++ b/print-rsvp.c
@@ -12,7 +12,7 @@
* LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE.
*
- * Original code by Hannes Gredler (hannes@juniper.net)
+ * Original code by Hannes Gredler (hannes@gredler.at)
*/
/* \summary: Resource ReSerVation Protocol (RSVP) printer */
@@ -1205,6 +1205,17 @@ rsvp_obj_print(netdissect_options *ndo,
/* read variable length subobjects */
total_subobj_len = obj_tlen;
while(total_subobj_len > 0) {
+ /* If RFC 3476 Section 3.1 defined that a sub-object of the
+ * GENERALIZED_UNI RSVP object must have the Length field as
+ * a multiple of 4, instead of the check below it would be
+ * better to test total_subobj_len only once before the loop.
+ * So long as it does not define it and this while loop does
+ * not implement such a requirement, let's accept that within
+ * each iteration subobj_len may happen to be a multiple of 1
+ * and test it and total_subobj_len respectively.
+ */
+ if (total_subobj_len < 4)
+ goto invalid;
subobj_len = EXTRACT_16BITS(obj_tptr);
subobj_type = (EXTRACT_16BITS(obj_tptr+2))>>8;
af = (EXTRACT_16BITS(obj_tptr+2))&0x00FF;
@@ -1216,7 +1227,13 @@ rsvp_obj_print(netdissect_options *ndo,
tok2str(af_values, "Unknown", af), af,
subobj_len));
- if(subobj_len == 0)
+ /* In addition to what is explained above, the same spec does not
+ * explicitly say that the same Length field includes the 4-octet
+ * sub-object header, but as long as this while loop implements it
+ * as it does include, let's keep the check below consistent with
+ * the rest of the code.
+ */
+ if(subobj_len < 4 || subobj_len > total_subobj_len)
goto invalid;
switch(subobj_type) {
@@ -1472,12 +1489,12 @@ rsvp_obj_print(netdissect_options *ndo,
case RSVP_OBJ_FASTREROUTE:
/* the differences between c-type 1 and 7 are minor */
obj_ptr.rsvp_obj_frr = (const struct rsvp_obj_frr_t *)obj_tptr;
- bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
switch(rsvp_obj_ctype) {
case RSVP_CTYPE_1: /* new style */
if (obj_tlen < sizeof(struct rsvp_obj_frr_t))
return-1;
+ bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps",
ident,
(int)obj_ptr.rsvp_obj_frr->setup_prio,
@@ -1496,6 +1513,7 @@ rsvp_obj_print(netdissect_options *ndo,
case RSVP_CTYPE_TUNNEL_IPV4: /* old style */
if (obj_tlen < 16)
return-1;
+ bw.i = EXTRACT_32BITS(obj_ptr.rsvp_obj_frr->bandwidth);
ND_PRINT((ndo, "%s Setup Priority: %u, Holding Priority: %u, Hop-limit: %u, Bandwidth: %.10g Mbps",
ident,
(int)obj_ptr.rsvp_obj_frr->setup_prio,