From 009b632b5c7cf5151699b660a4c885ba57f9f836 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Thu, 14 Aug 2014 17:14:32 -0700
Subject: [PATCH 3/4] Check for TLV length too small.
The TLV length includes the T and the L, so it must be at least 4.
This means we don't need the "avoid infinite loop" check later; that
check was wrong, as per GitHub issue #401 and #402; this fixes #402,
which has a different patch for that bug.
(cherry picked from commit 5511e8f79f0ac96671bab23223397881eba8b806)
[msekleta: replaced ND_PRINT by printfs]
---
print-cdp.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/print-cdp.c b/print-cdp.c
index 152b2f9..5a0eaea 100644
--- a/print-cdp.c
+++ b/print-cdp.c
@@ -111,6 +111,21 @@ cdp_print(const u_char *pptr, u_int length, u_int caplen)
goto trunc;
type = EXTRACT_16BITS(tptr);
len = EXTRACT_16BITS(tptr+2); /* object length includes the 4 bytes header length */
+
+ if (len < 4) {
+ if (vflag)
+ printf("\n\t%s (0x%02x), length: %u byte%s (too short)",
+ tok2str(cdp_tlv_values,"unknown field type", type),
+ type,
+ len,
+ PLURAL_SUFFIX(len)); /* plural */
+ else
+ printf(", %s TLV length %u too short",
+ tok2str(cdp_tlv_values,"unknown field type", type),
+ len);
+ break;
+ }
+
tptr += 4;
len -= 4;
@@ -222,9 +237,6 @@ cdp_print(const u_char *pptr, u_int length, u_int caplen)
break;
}
}
- /* avoid infinite loop */
- if (len == 0)
- break;
tptr = tptr+len;
}
if (vflag < 1)
--
2.4.3