The TVLV must only start parsing an header when at least one TVLV header is available. Otherwise data behind the received data might be accessed.
This regression was introduced by 4c39fb823b86036df40187f8bd342fe5398c28ef ("batctl: tcpdump - parse TVLV containers").
Signed-off-by: Sven Eckelmann sven@narfation.org --- tcpdump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tcpdump.c b/tcpdump.c index c3c847e..3e57544 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -256,7 +256,7 @@ static void dump_batman_ucast_tvlv(unsigned char *packet_buff, ssize_t buff_len,
ptr = (uint8_t *)(tvlv_packet + 1);
- while (tvlv_len > 0) { + while (tvlv_len >= (ssize_t)sizeof(*tvlv_hdr)) { tvlv_hdr = (struct batadv_tvlv_hdr *)ptr; len = ntohs(tvlv_hdr->len);
@@ -685,7 +685,7 @@ static void dump_batman_iv_ogm(unsigned char *packet_buff, ssize_t buff_len, int
ptr = (uint8_t *)(batman_ogm_packet + 1);
- while (tvlv_len > 0) { + while (tvlv_len >= (ssize_t)sizeof(*tvlv_hdr)) { tvlv_hdr = (struct batadv_tvlv_hdr *)ptr; len = ntohs(tvlv_hdr->len);