Fix a segfault in the GRE printer when a GRE packet SRE length extends past the actual captured length (but not the packet's original length).
gre_print() now checks if the length extends past snapend and, if so, uses the snapend to determine the usable length. Also includes a small change to use the already defined GRE_VERS instead of a hardcoded mask. Note that the GRE printer does its own length testing. It would probably be better to migrate it to use the TCHECK* functions instead of the manual length check logic it's doing now.
Index: print-gre.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v retrieving revision 1.9 diff -u -p -r1.9 print-gre.c --- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9 +++ print-gre.c 4 Nov 2015 02:52:41 -0000 @@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length { u_int len = length, vers; + if (bp + len > snapend) + len = snapend - bp; + if (len < 2) { printf("[|gre]"); return; } - vers = EXTRACT_16BITS(bp) & 7; + vers = EXTRACT_16BITS(bp) & GRE_VERS; if (vers == 0) gre_print_0(bp, len);