Fix a segfault in the GRE printer when a GRE packet SRE length
extends past the actual captured length (but not the packet's
original length).
gre_print() now checks if the length extends past snapend and, if so,
uses the snapend to determine the usable length.
Also includes a small change to use the already defined GRE_VERS
instead of a hardcoded mask.
Note that the GRE printer does its own length testing. It would
probably be better to migrate it to use the TCHECK* functions instead
of the manual length check logic it's doing now.
Index: print-gre.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v
retrieving revision 1.9
diff -u -p -r1.9 print-gre.c
--- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9
+++ print-gre.c 4 Nov 2015 02:52:41 -0000
@@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length
{
u_int len = length, vers;
+ if (bp + len > snapend)
+ len = snapend - bp;
+
if (len < 2) {
printf("[|gre]");
return;
}
- vers = EXTRACT_16BITS(bp) & 7;
+ vers = EXTRACT_16BITS(bp) & GRE_VERS;
if (vers == 0)
gre_print_0(bp, len);
