On 2015/11/03 20:04, Kevin Reay wrote: > Fix a segfault in the GRE printer when a GRE packet SRE length > extends past the actual captured length (but not the packet's > original length).
That's OK with me.. > gre_print() now checks if the length extends past snapend and, if so, > uses the snapend to determine the usable length. > > Also includes a small change to use the already defined GRE_VERS > instead of a hardcoded mask. > > Note that the GRE printer does its own length testing. It would > probably be better to migrate it to use the TCHECK* functions instead > of the manual length check logic it's doing now. > Index: print-gre.c > =================================================================== > RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v > retrieving revision 1.9 > diff -u -p -r1.9 print-gre.c > --- print-gre.c 16 Jan 2015 06:40:21 -0000 1.9 > +++ print-gre.c 4 Nov 2015 02:52:41 -0000 > @@ -73,11 +73,14 @@ gre_print(const u_char *bp, u_int length > { > u_int len = length, vers; > > + if (bp + len > snapend) > + len = snapend - bp; > + > if (len < 2) { > printf("[|gre]"); > return; > } > - vers = EXTRACT_16BITS(bp) & 7; > + vers = EXTRACT_16BITS(bp) & GRE_VERS; > > if (vers == 0) > gre_print_0(bp, len);