Skip to content

Commit 0ccd015

Browse files
guyharrisguyharris
committed
Use the length field in the UDP header.
If it's less than the length of the IP payload, use it as the size of the UDP packet. If it's greater than the length of the IP payload, and we're not dissecting the payload, report the length as bad.
1 parent 2f655da commit 0ccd015

File tree

1 file changed

+27
-13
lines changed

1 file changed

+27
-13
lines changed

print-udp.c

+27-13
Original file line numberDiff line numberDiff line change
@@ -378,7 +378,6 @@ udp_print(register const u_char *bp, u_int length,
378378
else
379379
ip6 = NULL;
380380
#endif /*INET6*/
381-
cp = (u_char *)(up + 1);
382381
if (!TTEST(up->uh_dport)) {
383382
udpipaddr_print(ip, -1, -1);
384383
(void)printf("[|udp]");
@@ -393,20 +392,24 @@ udp_print(register const u_char *bp, u_int length,
393392
(void)printf("truncated-udp %d", length);
394393
return;
395394
}
396-
length -= sizeof(struct udphdr);
397-
398-
if (cp > snapend) {
395+
ulen = EXTRACT_16BITS(&up->uh_ulen);
396+
if (ulen < sizeof(struct udphdr)) {
399397
udpipaddr_print(ip, sport, dport);
400-
(void)printf("[|udp]");
398+
printf("truncated-udplength %d", ulen);
401399
return;
402400
}
401+
ulen -= sizeof(struct udphdr);
402+
length -= sizeof(struct udphdr);
403+
if (ulen < length)
404+
length = ulen;
403405

404-
ulen = EXTRACT_16BITS(&up->uh_ulen);
405-
if (ulen < 8) {
406+
cp = (u_char *)(up + 1);
407+
if (cp > snapend) {
406408
udpipaddr_print(ip, sport, dport);
407-
(void)printf("truncated-udplength %d", ulen);
409+
printf("[|udp]");
408410
return;
409411
}
412+
410413
if (packettype) {
411414
register struct sunrpc_msg *rp;
412415
enum sunrpc_msg_type direction;
@@ -682,12 +685,23 @@ udp_print(register const u_char *bp, u_int length,
682685
otv_print((const u_char *)(up + 1), length);
683686
else if (ISPORT(VXLAN_PORT))
684687
vxlan_print((const u_char *)(up + 1), length);
685-
else
686-
(void)printf("UDP, length %u",
687-
(u_int32_t)(ulen - sizeof(*up)));
688+
else {
689+
if (ulen > length)
690+
printf("UDP, bad length %u > %u",
691+
ulen, length);
692+
else
693+
printf("UDP, length %u",
694+
(uint32_t)(ulen - sizeof(*up)));
695+
}
688696
#undef ISPORT
689-
} else
690-
(void)printf("UDP, length %u", (u_int32_t)(ulen - sizeof(*up)));
697+
} else {
698+
if (ulen > length)
699+
printf("UDP, bad length %u > %u",
700+
ulen, length);
701+
else
702+
printf("UDP, length %u",
703+
(uint32_t)(ulen - sizeof(*up)));
704+
}
691705
}
692706

693707

0 commit comments

Comments
 (0)