print-olsr: Don't trust the package payload.

Especially not to do pointer arithmetic.

This is a real problem even without malicious people around if you use
OLSR via IPv6, because the message IDs didn't change but addresses are
now longer than four bytes.

Signed-off-by: Florian Forster <octo@leeloo.lan.home.verplant.org>

1 files changed, 11 insertions, 2 deletions

diff --git a/print-olsr.c b/print-olsr.c
index 54709b76..41476195 100644
--- a/print-olsr.c
+++ b/print-olsr.c
@@ -286,6 +286,7 @@ olsr_print (const u_char *pptr, u_int length)
             msg_tlen -= sizeof(struct olsr_hello);
 
             while (msg_tlen >= sizeof(struct olsr_hello_link)) {
+                int hello_len_valid = 0;
 
                 /*
                  * link-type.
@@ -299,10 +300,18 @@ olsr_print (const u_char *pptr, u_int length)
                 link_type = OLSR_EXTRACT_LINK_TYPE(ptr.hello_link->link_code);
                 neighbor_type = OLSR_EXTRACT_NEIGHBOR_TYPE(ptr.hello_link->link_code);
 
-                printf("\n\t    link-type %s, neighbor-type %s, len %u",
+                if ((hello_len <= msg_tlen)
+                        && (hello_len >= sizeof(struct olsr_hello_link)))
+                    hello_len_valid = 1;
+
+                printf("\n\t    link-type %s, neighbor-type %s, len %u%s",
                        tok2str(olsr_link_type_values, "Unknown", link_type),
                        tok2str(olsr_neighbor_type_values, "Unknown", neighbor_type),
-                       hello_len);
+                       hello_len,
+                       (hello_len_valid == 0) ? " (invalid)" : "");
+
+                if (hello_len_valid == 0)
+                    break;
 
                 msg_data += sizeof(struct olsr_hello_link);
                 msg_tlen -= sizeof(struct olsr_hello_link);