From 30901383d9743608cede511c78192a873e27620d Mon Sep 17 00:00:00 2001
From: itojun <itojun@NetBSD.org>
Date: Wed, 9 May 2001 02:50:02 +0000
Subject: [PATCH] correct ip6 option header chasing.  sync with tcpdump.org.

---
 usr.sbin/tcpdump/print-ip6opts.c | 46 +++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/usr.sbin/tcpdump/print-ip6opts.c b/usr.sbin/tcpdump/print-ip6opts.c
index af86f3e5688c..2943a302602a 100644
--- a/usr.sbin/tcpdump/print-ip6opts.c
+++ b/usr.sbin/tcpdump/print-ip6opts.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: print-ip6opts.c,v 1.5 2001/01/28 10:05:06 itojun Exp $	*/
+/*	$NetBSD: print-ip6opts.c,v 1.6 2001/05/09 02:50:02 itojun Exp $	*/
 
 /*
  * Copyright (C) 1998 WIDE Project.
@@ -31,7 +31,7 @@
 
 #ifndef lint
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: print-ip6opts.c,v 1.5 2001/01/28 10:05:06 itojun Exp $");
+__RCSID("$NetBSD: print-ip6opts.c,v 1.6 2001/05/09 02:50:02 itojun Exp $");
 #endif
 
 #ifdef INET6
@@ -87,10 +87,20 @@ ip6_sopt_print(const u_char *bp, int len)
     int optlen;
 
     for (i = 0; i < len; i += optlen) {
+	if (bp[i] == IP6OPT_PAD1)
+	    optlen = 1;
+	else {
+	    if (i + 1 < len)
+		optlen = bp[i + 1] + 2;
+	    else
+		goto trunc;
+	}
+	if (i + optlen > len)
+	    goto trunc;
+
 	switch (bp[i]) {
 	case IP6OPT_PAD1:
             printf(", pad1");
-	    optlen = 1;
 	    break;
 	case IP6OPT_PADN:
 	    if (len - i < IP6OPT_MINLEN) {
@@ -98,7 +108,6 @@ ip6_sopt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
             printf(", padn");
-	    optlen = bp[i + 1] + 2;
 	    break;
         case IP6SOPT_ALTCOA:
              if (len - i < IP6SOPT_ALTCOA_MINLEN) {
@@ -106,7 +115,6 @@ ip6_sopt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
             printf(", alt-CoA: %s", ip6addr_string(&bp[i+2]));
-	    optlen = bp[i + 1] + 2;
 	    break;
         case IP6SOPT_UI:
              if (len - i < IP6SOPT_UI_MINLEN) {
@@ -114,7 +122,6 @@ ip6_sopt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
             printf("(ui: 0x%04x) ", ntohs(*(u_int16_t *)&bp[i + 2]));
-	    optlen = bp[i + 1] + 2;
 	    break;
 	default:
 	    if (len - i < IP6OPT_MINLEN) {
@@ -122,7 +129,6 @@ ip6_sopt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
 	    printf(", sopt_type 0x%02x: len=%d", bp[i], bp[i + 1]);
-	    optlen = bp[i + 1] + 2;
 	    break;
 	}
     }
@@ -139,10 +145,20 @@ ip6_opt_print(const u_char *bp, int len)
     int optlen;
 
     for (i = 0; i < len; i += optlen) {
+	if (bp[i] == IP6OPT_PAD1)
+	    optlen = 1;
+	else {
+	    if (i + 1 < len)
+		optlen = bp[i + 1] + 2;
+	    else
+		goto trunc;
+	}
+	if (i + optlen > len)
+	    goto trunc;
+
 	switch (bp[i]) {
 	case IP6OPT_PAD1:
             printf("(pad1)");
-	    optlen = 1;
 	    break;
 	case IP6OPT_PADN:
 	    if (len - i < IP6OPT_MINLEN) {
@@ -150,7 +166,6 @@ ip6_opt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
             printf("(padn)");
-	    optlen = bp[i + 1] + 2;
 	    break;
 	case IP6OPT_ROUTER_ALERT:
 	    if (len - i < IP6OPT_RTALERT_LEN) {
@@ -162,7 +177,6 @@ ip6_opt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
 	    printf("(rtalert: 0x%04x) ", ntohs(*(u_int16_t *)&bp[i + 2]));
-	    optlen = IP6OPT_RTALERT_LEN;
 	    break;
 	case IP6OPT_JUMBO:
 	    if (len - i < IP6OPT_JUMBO_LEN) {
@@ -174,7 +188,6 @@ ip6_opt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
 	    printf("(jumbo: %u) ", (u_int32_t)ntohl(*(u_int32_t *)&bp[i + 2]));
-	    optlen = IP6OPT_JUMBO_LEN;
 	    break;
         case IP6OPT_HOME_ADDRESS:
 	    if (len - i < IP6OPT_HOMEADDR_MINLEN) {
@@ -188,10 +201,9 @@ ip6_opt_print(const u_char *bp, int len)
 	    printf("(homeaddr: %s", ip6addr_string(&bp[i + 2]));
             if (bp[i + 1] > IP6OPT_HOMEADDR_MINLEN - 2) {
 		ip6_sopt_print(&bp[i + IP6OPT_HOMEADDR_MINLEN],
-		    (optlen-IP6OPT_HOMEADDR_MINLEN));
+		    (optlen - IP6OPT_HOMEADDR_MINLEN));
 	    }
             printf(")");
-	    optlen = bp[i + 1] + 2;
 	    break;
         case IP6OPT_BINDING_UPDATE:
 	    if (len - i < IP6OPT_BU_MINLEN) {
@@ -219,7 +231,6 @@ ip6_opt_print(const u_char *bp, int len)
 	    printf(", lifetime: %u",
 		(u_int32_t)ntohs(*(u_int32_t *)&bp[i + 8]));
 
-	    optlen = bp[i + 1] + 2;
 	    if (bp[i + 1] > IP6OPT_BU_MINLEN - 2) {
 		ip6_sopt_print(&bp[i + IP6OPT_BU_MINLEN],
 		    (optlen - IP6OPT_BU_MINLEN));
@@ -246,10 +257,9 @@ ip6_opt_print(const u_char *bp, int len)
 
 	    if (bp[i + 1] > IP6OPT_BA_MINLEN - 2) {
 		ip6_sopt_print(&bp[i + IP6OPT_BA_MINLEN],
-		    (optlen-IP6OPT_BA_MINLEN));
+		    (optlen - IP6OPT_BA_MINLEN));
 	    }
             printf(")");
-	    optlen = bp[i + 1] + 2;
 	    break;
         case IP6OPT_BINDING_REQ:
 	    if (len - i < IP6OPT_BR_MINLEN) {
@@ -259,10 +269,9 @@ ip6_opt_print(const u_char *bp, int len)
             printf("(br");
             if (bp[i + 1] > IP6OPT_BR_MINLEN - 2) {
 		ip6_sopt_print(&bp[i + IP6OPT_BR_MINLEN],
-		    (optlen-IP6OPT_BR_MINLEN));
+		    (optlen - IP6OPT_BR_MINLEN));
 	    }
             printf(")");
-	    optlen = bp[i + 1] + 2;
 	    break;
 	default:
 	    if (len - i < IP6OPT_MINLEN) {
@@ -270,7 +279,6 @@ ip6_opt_print(const u_char *bp, int len)
 		goto trunc;
 	    }
 	    printf("(opt_type 0x%02x: len=%d) ", bp[i], bp[i + 1]);
-	    optlen = bp[i + 1] + 2;
 	    break;
 	}
     }