Fixes to BGP problems, from Dirk Steinberg.

Add some additional bounds checking to "decode_MPLS_stack()" so as not to overflow the buffer handed to it. svn path=/trunk/; revision=5518
2002-05-21 21:55:47 +00:00 · 2002-05-21 21:55:47 +00:00 · 66e28fbb4a
parent 2667dfed9a
commit 66e28fbb4a
3 changed files with 21 additions and 4 deletions
--- a/6
+++ b/6
@ -1203,7 +1203,11 @@ Andrew Esh <Andrew.Esh[AT]tricord.com> {
 }

 Greg Morris <GMORRIS[AT]novell.com> {
-    NCP - NetWare Core Protocol
+	NCP - NetWare Core Protocol
+}
+
+Dirk Steinberg <dws[AT]dirksteinberg.de> {
+	Fixes to BGP problems
 }

 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to
--- a/doc/ethereal.pod.template
+++ b/doc/ethereal.pod.template
@ -1420,6 +1420,7 @@ B<http://www.ethereal.com>.
  Ruud Linders             <ruud[AT]lucent.com>
  Andrew Esh               <Andrew.Esh[AT]tricord.com>
  Greg Morris              <GMORRIS[AT]novell.com>
+  Dirk Steinberg           <dws[AT]dirksteinberg.de>

 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his
 permission to use his version of snprintf.c.
--- a/packet-bgp.c
+++ b/packet-bgp.c
@ -2,7 +2,7 @@
 * Routines for BGP packet dissection.
 * Copyright 1999, Jun-ichiro itojun Hagino <itojun@itojun.org>
 *
- * $Id: packet-bgp.c,v 1.58 2002/05/21 21:44:28 guy Exp $
+ * $Id: packet-bgp.c,v 1.59 2002/05/21 21:55:46 guy Exp $
 *
 * Supports:
 * RFC1771 A Border Gateway Protocol 4 (BGP-4)
@ -303,10 +303,11 @@ decode_prefix6(tvbuff_t *tvb, gint offset, char *buf, int buflen)
 * Decode an MPLS label stack
 */
 static int
-decode_MPLS_stack(tvbuff_t *tvb, gint offset, char *buf, int buflen)
+decode_MPLS_stack(tvbuff_t *tvb, gint offset, char *buf, size_t buflen)
 {
    guint32     label_entry;    /* an MPLS label enrty (label + COS field + stack bit   */
    gint        index;          /* index for the label stack                            */
+    char        junk_buf[256];  /* tmp                                                  */

    index = offset ;
    label_entry = 0x000000 ;
@ -322,8 +323,19 @@ decode_MPLS_stack(tvbuff_t *tvb, gint offset, char *buf, int buflen)
            snprintf(buf, buflen, "0 (withdrawn)");
            return (1);
        }
-        snprintf(buf, buflen,"%s%u%s", buf, (label_entry >> 4), ((label_entry & 0x000001) == 0) ? "," : " (bottom)");
+
+        snprintf(junk_buf, sizeof(junk_buf),"%u%s", (label_entry >> 4), ((label_entry & 0x000001) == 0) ? "," : " (bottom)");
+	if (strlen(buf) + strlen(junk_buf) + 1 <= buflen)
+	    strcat(buf, junk_buf);
        index += 3 ;
+
+	if ((label_entry & 0x000001) == 0) {
+	    /* real MPLS multi-label stack in BGP? - maybe later; for now, it must be a bogus packet */
+	    strcpy(junk_buf, " (BOGUS: Bottom of Stack NOT set!)");
+	    if (strlen(buf) + strlen(junk_buf) + 1 <= buflen)
+		strcat(buf, junk_buf);
+	    break;
+	}	  
    }

    return((index - offset) / 3);