tcpdump mailing list archives
additional boundary check necessary in MLDv2 packet parsing
From: SUZUKI Shinsuke <suz () kame net>
Date: Wed, 28 Jul 2004 16:59:38 +0900
Hello all, Here's a patch to properly check buffer boundary in MLDv2 packet parsing. Could someone review and commit it? Thanks, ---- SUZUKI, Shinsuke @ Hitachi / KAME Project
--- print-icmp6.c.orig Wed Jul 28 15:34:40 2004 +++ print-icmp6.c Wed Jul 28 16:49:16 2004 @@ -764,7 +764,7 @@ printf(" [invalid number of groups]"); return; } - TCHECK(bp[group + 4]); + TCHECK2(bp[group + 4], 16); printf(" [gaddr %s", ip6addr_string(&bp[group + 4])); printf(" %s", tok2str(mldv2report2str, " [v2-report-#%d]", bp[group])); @@ -820,6 +820,7 @@ if (vflag) { (void)printf(" [max resp delay=%d]", mrt); } + TCHECK2(bp[8], 16); printf(" [gaddr %s", ip6addr_string(&bp[8])); if (vflag) { @@ -838,6 +839,7 @@ printf(" qqi=%d", qqi); } + TCHECK2(bp[26], 2); nsrcs = ntohs(*(u_short *)&bp[26]); if (nsrcs > 0) { if (len < 28 + nsrcs * 16)
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- additional boundary check necessary in MLDv2 packet parsing SUZUKI Shinsuke (Jul 28)
- Re: additional boundary check necessary in MLDv2 packet parsing Guy Harris (Jul 28)