On Tue, Jan 23, 2001 at 10:22:49PM -0800, Guy Harris wrote:
> I'll look into that.
Well, one of the problems may be the result of "TTEST2()" doing
#define TTEST2(var, l) ((u_char *)&(var) <= snapend - (l))
rather than
#define TTEST2(var, l) ((u_char *)&(var) + (l) <= snapend)
as the "TCHECK2()" call in "parsefn()" is
TCHECK2(*dp, ((len + 3) & ~3));
and "dp" was 0x815e08a and "len" is 1701551594, or 0x656b9dea, which is
probably greater than "snapend", so the test may have succeeded when it
should have failed, so "parsefn()" didn't just quit and return NULL when
the length it apparently fetched from the packet was bogus.
Of course, if "l" is *REALLY* big, this wouldn't help, as it could make
"(u_char *)&(var) + l" wrap around, again causing "TTEST2()" to succeed
when it should have failed.
If we're willing to require that the first argument to "TTEST2()" and
"TCHECK2()", and the sole argument to "TTEST()" and "TCHECK()", be <=
"snapend", i.e. require that we not have gone any further than one byte
past the end of the packet, we could do
#define TTEST2(var, l) (snapend - (u_char *)&(var) >= (l))
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
