macsec: further cleanups.

Add checks to make sure the on-the-wire length isn't too small.  (Not
all versions of libpcap require that the on-the-wire length be greater
than or equal to the captured length.)

Make sure both lengths are large enough before subtracting the ICV
length.

1 files changed, 14 insertions, 2 deletions

diff --git a/print-macsec.c b/print-macsec.c
index e5030588..a7bde0b9 100644
--- a/print-macsec.c
+++ b/print-macsec.c
@@ -110,6 +110,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 		ndo->ndo_protocol = save_protocol;
 		return hdrlen + caplen;
 	}
+	if (length < MACSEC_SECTAG_LEN_NOSCI) {
+		nd_print_trunc(ndo);
+		ndo->ndo_protocol = save_protocol;
+		return hdrlen + caplen;
+	}
 
 	if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
 		sectag_len = MACSEC_SECTAG_LEN_SCI;
@@ -118,6 +123,11 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 			ndo->ndo_protocol = save_protocol;
 			return hdrlen + caplen;
 		}
+		if (length < MACSEC_SECTAG_LEN_SCI) {
+			nd_print_trunc(ndo);
+			ndo->ndo_protocol = save_protocol;
+			return hdrlen + caplen;
+		}
 	} else
 		sectag_len = MACSEC_SECTAG_LEN_NOSCI;
 
@@ -165,8 +175,10 @@ int macsec_print(netdissect_options *ndo, const u_char **bp,
 		 * ICV length from the lengths, so our caller
 		 * doesn't treat it as payload.
 		 */
-		*lengthp -= MACSEC_DEFAULT_ICV_LEN;
-		*caplenp -= MACSEC_DEFAULT_ICV_LEN;
+		if (*lengthp >= MACSEC_DEFAULT_ICV_LEN)
+			*lengthp -= MACSEC_DEFAULT_ICV_LEN;
+		if (*caplenp >= MACSEC_DEFAULT_ICV_LEN)
+			*caplenp -= MACSEC_DEFAULT_ICV_LEN;
 		ndo->ndo_protocol = save_protocol;
 		return -1;
 	}