Return early from atalk_print_llap() if the length is less than the

size of a header to avoid an integer underflow. Found with afl.
author: jsg <jsg@openbsd.org> 2016-10-28 12:54:05 +0000
committer: jsg <jsg@openbsd.org> 2016-10-28 12:54:05 +0000
commit: c9f03debedfb922d320ae614468de89038605f4c (patch)
tree: 9304e3c7dc0f8ce909268138f6f66ae8dbacce43 /usr.sbin/tcpdump/print-atalk.c
parent: Don't assume s->ifname is NUL terminated and printable. (diff)
download: wireguard-openbsd-c9f03debedfb922d320ae614468de89038605f4c.tar.xz
wireguard-openbsd-c9f03debedfb922d320ae614468de89038605f4c.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/tcpdump/print-atalk.c b/usr.sbin/tcpdump/print-atalk.c
index bc995619007..815c12d50e2 100644
--- a/usr.sbin/tcpdump/print-atalk.c
+++ b/usr.sbin/tcpdump/print-atalk.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-atalk.c,v 1.30 2015/11/15 20:35:36 mmcc Exp $	*/
+/*	$OpenBSD: print-atalk.c,v 1.31 2016/10/28 12:54:05 jsg Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -128,6 +128,11 @@ atalk_print_llap(const u_char *bp, u_int length)
 	const struct atShortDDP *sdp;
 	u_short snet;
 
+	if (length < sizeof(*lp)) {
+		(void)printf(" [|llap %d]", length);
+		return;
+	}
+
 	lp = (struct LAP *)bp;
 	bp += sizeof(*lp);
 	length -= sizeof(*lp);
author	jsg <jsg@openbsd.org>	2016-10-28 12:54:05 +0000
committer	jsg <jsg@openbsd.org>	2016-10-28 12:54:05 +0000
commit	c9f03debedfb922d320ae614468de89038605f4c (patch)
tree	9304e3c7dc0f8ce909268138f6f66ae8dbacce43 /usr.sbin/tcpdump/print-atalk.c
parent	Don't assume s->ifname is NUL terminated and printable. (diff)
download	wireguard-openbsd-c9f03debedfb922d320ae614468de89038605f4c.tar.xz wireguard-openbsd-c9f03debedfb922d320ae614468de89038605f4c.zip