Make sure the length of the header is valid.

It must be at least 2, as it includes the lengths of the Base and Service Path headers, and those are always present.
author: Guy Harris <guy@alum.mit.edu> 2016-03-25 12:49:37 -0700
committer: Guy Harris <guy@alum.mit.edu> 2016-03-25 12:49:37 -0700
commit: 3d11d28ba07fffcbfd460cdb1fe95eded061e2f3 (patch)
tree: d0e6fd904fa46f894ca33a577dd65f274dd7da53 /print-nsh.c
parent: f0b959c53eae8e655e26ef7faf202c9bf8967b0f (diff)
download: tcpdump-3d11d28ba07fffcbfd460cdb1fe95eded061e2f3.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/print-nsh.c b/print-nsh.c
index a5b464e9..1a27b713 100644
--- a/print-nsh.c
+++ b/print-nsh.c
@@ -97,12 +97,23 @@ nsh_print(netdissect_options *ndo, const u_char *bp, u_int len)
     ND_PRINT((ndo, "service-path-id 0x%06x, ", service_path_id));
     ND_PRINT((ndo, "service-index 0x%x", service_index));
 
-    /* print Context Headers */
+    /* Make sure we have all the headers */
     if (len < length * NSH_HDR_WORD_SIZE)
         goto trunc;
 
     ND_TCHECK2(*bp, length * NSH_HDR_WORD_SIZE);
 
+    /*
+     * length includes the lengths of the Base and Service Path headers.
+     * That means it must be at least 2.
+     */
+    if (length < 2)
+        goto trunc;
+
+    /*
+     * Print, or skip, the Context Headers.
+     * (length - 2) is the length of those headers.
+     */
     if (ndo->ndo_vflag > 2) {
         if (md_type == 0x01) {
             for (n = 0; n < length - 2; n++) {
author	Guy Harris <guy@alum.mit.edu>	2016-03-25 12:49:37 -0700
committer	Guy Harris <guy@alum.mit.edu>	2016-03-25 12:49:37 -0700
commit	3d11d28ba07fffcbfd460cdb1fe95eded061e2f3 (patch)
tree	d0e6fd904fa46f894ca33a577dd65f274dd7da53 /print-nsh.c
parent	f0b959c53eae8e655e26ef7faf202c9bf8967b0f (diff)
download	tcpdump-3d11d28ba07fffcbfd460cdb1fe95eded061e2f3.tar.gz