IPX: Add a length check

This fix an undefined behavior at runtime. The error was: print-ipx.c:93:43: runtime error: unsigned integer overflow: 29 - 30 cannot be represented in type 'unsigned int' Add a test case.
author: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> 2019-03-11 22:07:06 +0100
committer: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> 2019-03-11 22:07:06 +0100
commit: a24cccfd4abcda51db9f73f46d425c7c1e357a87 (patch)
tree: 4651143709cc1cd1f38e568e72b241744d64c95e /print-ipx.c
parent: 2f6c71013128c8fd03faf71f5d3b8727cd984352 (diff)
download: tcpdump-a24cccfd4abcda51db9f73f46d425c7c1e357a87.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/print-ipx.c b/print-ipx.c
index 674dd457..c724e87f 100644
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -90,6 +90,11 @@ ipx_print(netdissect_options *ndo, const u_char *p, u_int length)
 	ND_TCHECK_2(ipx->length);
 	length = EXTRACT_BE_U_2(ipx->length);
 
+	if (length < ipxSize) {
+		ND_PRINT("[length %u < %u]", length, ipxSize);
+		nd_print_invalid(ndo);
+		return;
+	}
 	ipx_decode(ndo, ipx, p + ipxSize, length - ipxSize);
 	return;
 trunc:
author	Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>	2019-03-11 22:07:06 +0100
committer	Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>	2019-03-11 22:07:06 +0100
commit	a24cccfd4abcda51db9f73f46d425c7c1e357a87 (patch)
tree	4651143709cc1cd1f38e568e72b241744d64c95e /print-ipx.c
parent	2f6c71013128c8fd03faf71f5d3b8727cd984352 (diff)
download	tcpdump-a24cccfd4abcda51db9f73f46d425c7c1e357a87.tar.gz