Add more checks.

Check that the payload specified in a Jumbo Payload option isn't smaller than the total number of bytes worth of extension headers; if it is, report truncation. Check that: 1) we don't have more than one Jumbo Payload option; 2) we don't have a Jumbo Payload option if the payload length in the IPv6 header was non-zero; 3) we don't have a Jumbo Payload option with a value < 65536.
author: Guy Harris <guy@alum.mit.edu> 2019-05-03 11:11:58 -0700
committer: Guy Harris <guy@alum.mit.edu> 2019-05-03 11:11:58 -0700
commit: 2055e39f2af0aba1ab3945ea8f3e82c614a691a3 (patch)
tree: f41130a1a7efc0a598e5838e41684f5b83334131 /print-ip6.c
parent: cba9b77a98e9dde764abde71a899ee8937ca56e8 (diff)
download: tcpdump-2055e39f2af0aba1ab3945ea8f3e82c614a691a3.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/print-ip6.c b/print-ip6.c
index 2cc4e309..15e13c2b 100644
--- a/print-ip6.c
+++ b/print-ip6.c
@@ -413,8 +413,14 @@ ip6_print(netdissect_options *ndo, const u_char *bp, u_int length)
 				 * Set the length to the payload length
 				 * plus the IPv6 header length, and
 				 * change the snapshot length accordingly.
+				 *
+				 * But make sure it's not shorter than
+				 * the total number of bytes we've
+				 * processed so far.
 				 */
 				len = payload_len + sizeof(struct ip6_hdr);
+				if (len < total_advance)
+					goto trunc;
 				if (length < len)
 					ND_PRINT("truncated-ip6 - %u bytes missing!",
 						len - length);
author	Guy Harris <guy@alum.mit.edu>	2019-05-03 11:11:58 -0700
committer	Guy Harris <guy@alum.mit.edu>	2019-05-03 11:11:58 -0700
commit	2055e39f2af0aba1ab3945ea8f3e82c614a691a3 (patch)
tree	f41130a1a7efc0a598e5838e41684f5b83334131 /print-ip6.c
parent	cba9b77a98e9dde764abde71a899ee8937ca56e8 (diff)
download	tcpdump-2055e39f2af0aba1ab3945ea8f3e82c614a691a3.tar.gz