summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjca <jca@openbsd.org>2020-10-26 23:19:18 +0000
committerjca <jca@openbsd.org>2020-10-26 23:19:18 +0000
commit9d41c16906b279ed9301276a66fe6b416bc36526 (patch)
tree7462f6475ac1b377e4d32d3164a47ddc1d577358
parentRetguard asm macros for powerpc libc, ld.so (diff)
downloadwireguard-openbsd-9d41c16906b279ed9301276a66fe6b416bc36526.tar.xz
wireguard-openbsd-9d41c16906b279ed9301276a66fe6b416bc36526.zip
Fix parsing GTP packets with invalid extended headers.
In GTP a zero extended header length is invalid, deal with this instead of looping forever. Report and fix by Peter J. Philipp, tweaked by me, ok kn@
-rw-r--r--usr.sbin/tcpdump/print-gtp.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/tcpdump/print-gtp.c b/usr.sbin/tcpdump/print-gtp.c
index c1c295d02cb..c21db86fe1e 100644
--- a/usr.sbin/tcpdump/print-gtp.c
+++ b/usr.sbin/tcpdump/print-gtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: print-gtp.c,v 1.12 2020/05/20 01:20:37 dlg Exp $ */
+/* $OpenBSD: print-gtp.c,v 1.13 2020/10/26 23:19:18 jca Exp $ */
/*
* Copyright (c) 2009, 2010 Joel Sing <jsing@openbsd.org>
*
@@ -927,6 +927,11 @@ gtp_v1_print(const u_char *cp, u_int length, u_short sport, u_short dport)
/* Header length is a 4 octet multiplier. */
hlen = (int)p[0] * 4;
+ if (hlen == 0) {
+ printf(" [Invalid zero-length header %u]",
+ nexthdr);
+ goto trunc;
+ }
TCHECK2(p[0], hlen);
switch (nexthdr) {