ZEP: Add three length checks
authorFrancois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Sun, 28 Nov 2021 09:57:14 +0000 (10:57 +0100)
committerFrancois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Sun, 28 Nov 2021 09:59:29 +0000 (10:59 +0100)
print-zep.c

index e10ecb35771ac849f12674f9053f608f56270d2c..fd74368ceb3b74f1217f049d2abd276ca8f147e9 100644 (file)
@@ -123,6 +123,7 @@ zep_print(netdissect_options *ndo,
 
        if (version == 1) {
                /* ZEP v1 packet. */
+               ND_LCHECK_U(len, 16);
                ND_PRINT("Channel ID %u, Device ID 0x%04x, ",
                         GET_U_1(bp + 3), GET_BE_U_2(bp + 4));
                if (GET_U_1(bp + 6))
@@ -138,6 +139,7 @@ zep_print(netdissect_options *ndo,
                /* ZEP v2 packet. */
                if (GET_U_1(bp + 3) == 2) {
                        /* ZEP v2 ack. */
+                       ND_LCHECK_U(len, 8);
                        seq_no = GET_BE_U_4(bp + 4);
                        ND_PRINT("ACK, seq# = %u", seq_no);
                        inner_len = 0;
@@ -145,6 +147,7 @@ zep_print(netdissect_options *ndo,
                        len -= 8;
                } else {
                        /* ZEP v2 data, or some other. */
+                       ND_LCHECK_U(len, 32);
                        ND_PRINT("Type %u, Channel ID %u, Device ID 0x%04x, ",
                                 GET_U_1(bp + 3), GET_U_1(bp + 4),
                                 GET_BE_U_2(bp + 5));
@@ -175,4 +178,7 @@ zep_print(netdissect_options *ndo,
 
        if (!ndo->ndo_suppress_default_print)
                ND_DEFAULTPRINT(bp, len);
+       return;
+invalid:
+       nd_print_invalid(ndo);
 }