From 009b632b5c7cf5151699b660a4c885ba57f9f836 Mon Sep 17 00:00:00 2001

From: Guy Harris <guy@alum.mit.edu>

Date: Thu, 14 Aug 2014 17:14:32 -0700

Subject: [PATCH 3/4] Check for TLV length too small.

The TLV length includes the T and the L, so it must be at least 4.

This means we don't need the "avoid infinite loop" check later; that

check was wrong, as per GitHub issue #401 and #402; this fixes #402,

which has a different patch for that bug.

(cherry picked from commit 5511e8f79f0ac96671bab23223397881eba8b806)

[msekleta: replaced ND_PRINT by printfs]

---

 print-cdp.c | 18 +++++++++++++++---

 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/print-cdp.c b/print-cdp.c

index 152b2f9..5a0eaea 100644

--- a/print-cdp.c

+++ b/print-cdp.c

@@ -111,6 +111,21 @@ cdp_print(const u_char *pptr, u_int length, u_int caplen)

                     goto trunc;

 		type = EXTRACT_16BITS(tptr);

 		len  = EXTRACT_16BITS(tptr+2); /* object length includes the 4 bytes header length */

+

+		if (len < 4) {

+                    if (vflag)

+                        printf("\n\t%s (0x%02x), length: %u byte%s (too short)",

+                               tok2str(cdp_tlv_values,"unknown field type", type),

+                               type,

+                               len,

+                               PLURAL_SUFFIX(len)); /* plural */

+                    else

+                        printf(", %s TLV length %u too short",

+                               tok2str(cdp_tlv_values,"unknown field type", type),

+                               len);

+                    break;

+                }

+

                 tptr += 4;

                 len -= 4;

@@ -222,9 +237,6 @@ cdp_print(const u_char *pptr, u_int length, u_int caplen)

 			break;

                     }

                 }

-		/* avoid infinite loop */

-		if (len == 0)

-			break;

 		tptr = tptr+len;

 	}

         if (vflag < 1)

-- 

2.4.3