dump_ipv6() is doing a length check for the original ICMPv6 header length. But the neighbor solicitation (which is also handled by this function) is accessed without doing an additional length check. So it is possible that it tries to read outside of the received data.
Fixes: 35b37756f4a3 ("add IPv6 support to tcpdump parser") Cc: Marco Dalla Torre marco.dallato@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tcpdump.c b/tcpdump.c index 2ae3909..c253755 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -652,6 +652,8 @@ static void dump_ipv6(unsigned char *packet_buff, ssize_t buff_len, (size_t)buff_len - sizeof(struct icmp6_hdr)); break; case ND_NEIGHBOR_SOLICIT: + LEN_CHECK((size_t)buff_len - (size_t)(sizeof(struct ip6_hdr)), + sizeof(*nd_neigh_sol), "ICMPv6 Neighbor Solicitation"); nd_neigh_sol = (struct nd_neighbor_solicit *)icmphdr; inet_ntop(AF_INET6, &(nd_neigh_sol->nd_ns_target), nd_nas_target, 40);