tcpdump mailing list archives

additional boundary check necessary in MLDv2 packet parsing

From: SUZUKI Shinsuke <suz () kame net>
Date: Wed, 28 Jul 2004 16:59:38 +0900

Hello all,

Here's a patch to properly check buffer boundary in MLDv2 packet
parsing.  Could someone review and commit it?

Thanks,
----
SUZUKI, Shinsuke @ Hitachi / KAME Project

--- print-icmp6.c.orig  Wed Jul 28 15:34:40 2004
+++ print-icmp6.c       Wed Jul 28 16:49:16 2004
@@ -764,7 +764,7 @@
                printf(" [invalid number of groups]");
                return;
            }
-            TCHECK(bp[group + 4]);
+            TCHECK2(bp[group + 4], 16);
             printf(" [gaddr %s", ip6addr_string(&bp[group + 4]));
            printf(" %s", tok2str(mldv2report2str, " [v2-report-#%d]",
                                                                bp[group]));
@@ -820,6 +820,7 @@
     if (vflag) {
        (void)printf(" [max resp delay=%d]", mrt);
     }
+    TCHECK2(bp[8], 16);
     printf(" [gaddr %s", ip6addr_string(&bp[8]));
 
     if (vflag) {
@@ -838,6 +839,7 @@
        printf(" qqi=%d", qqi);
     }
 
+    TCHECK2(bp[26], 2);
     nsrcs = ntohs(*(u_short *)&bp[26]);
     if (nsrcs > 0) {
        if (len < 28 + nsrcs * 16)

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

additional boundary check necessary in MLDv2 packet parsing SUZUKI Shinsuke (Jul 28)
- Re: additional boundary check necessary in MLDv2 packet parsing Guy Harris (Jul 28)