diff options
author | 2020-10-26 23:19:18 +0000 | |
---|---|---|
committer | 2020-10-26 23:19:18 +0000 | |
commit | 9d41c16906b279ed9301276a66fe6b416bc36526 (patch) | |
tree | 7462f6475ac1b377e4d32d3164a47ddc1d577358 | |
parent | Retguard asm macros for powerpc libc, ld.so (diff) | |
download | wireguard-openbsd-9d41c16906b279ed9301276a66fe6b416bc36526.tar.xz wireguard-openbsd-9d41c16906b279ed9301276a66fe6b416bc36526.zip |
Fix parsing GTP packets with invalid extended headers.
In GTP a zero extended header length is invalid, deal with this instead
of looping forever.
Report and fix by Peter J. Philipp, tweaked by me, ok kn@
-rw-r--r-- | usr.sbin/tcpdump/print-gtp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/tcpdump/print-gtp.c b/usr.sbin/tcpdump/print-gtp.c index c1c295d02cb..c21db86fe1e 100644 --- a/usr.sbin/tcpdump/print-gtp.c +++ b/usr.sbin/tcpdump/print-gtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-gtp.c,v 1.12 2020/05/20 01:20:37 dlg Exp $ */ +/* $OpenBSD: print-gtp.c,v 1.13 2020/10/26 23:19:18 jca Exp $ */ /* * Copyright (c) 2009, 2010 Joel Sing <jsing@openbsd.org> * @@ -927,6 +927,11 @@ gtp_v1_print(const u_char *cp, u_int length, u_short sport, u_short dport) /* Header length is a 4 octet multiplier. */ hlen = (int)p[0] * 4; + if (hlen == 0) { + printf(" [Invalid zero-length header %u]", + nexthdr); + goto trunc; + } TCHECK2(p[0], hlen); switch (nexthdr) { |