pppdump: Avoid out-of-range access to packet buffer

[ppp.git] / pppdump / pppdump.c

diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
index 95e692c8774af4513747d7f7ae0f22810b5db6fe..b85a86271edacafcbae3f7329bce4e08bf5b0b94 100644 (file)
--- a/pppdump/pppdump.c
+++ b/pppdump/pppdump.c
@@ -38,7 +38,7 @@
 #include <stdlib.h>
 #include <time.h>
 #include <sys/types.h>
-#include "ppp_defs.h"
+
 #include "ppp-comp.h"
 
 int hexmode;
@@ -191,7 +191,7 @@ dumplog(f)
            show_time(f, c);
            break;
        default:
-           printf("?%.2x\n");
+           printf("?%.2x\n", c);
        }
     }
 }
@@ -233,6 +233,7 @@ static u_short fcstab[256] = {
        0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
        0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78
 };
+#define PPP_FCS(fcs, c)        (((fcs) >> 8) ^ fcstab[((fcs) ^ (c)) & 0xff])
 
 struct pkt {
     int        cnt;
@@ -296,6 +297,10 @@ dumpppp(f)
                            printf("%s aborted packet:\n     ", dir);
                            q = "    ";
                        }
+                       if (pkt->cnt >= sizeof(pkt->buf)) {
+                           printf("%s over-long packet truncated:\n     ", dir);
+                           q = "    ";
+                       }
                        nb = pkt->cnt;
                        p = pkt->buf;
                        pkt->cnt = 0;
@@ -320,7 +325,7 @@ dumpppp(f)
                            ++r;
                        ++r;
                        if (endp - r > mru)
-                           printf("     ERROR: length (%d) > MRU (%d)\n",
+                           printf("     ERROR: length (%zd) > MRU (%d)\n",
                                   endp - r, mru);
                        if (decompress && fcs == PPP_GOODFCS) {
                            /* See if this is a CCP or compressed packet */
@@ -399,7 +404,8 @@ dumpppp(f)
                        c ^= 0x20;
                        pkt->esc = 0;
                    }
-                   pkt->buf[pkt->cnt++] = c;
+                   if (pkt->cnt < sizeof(pkt->buf))
+                       pkt->buf[pkt->cnt++] = c;
                    break;
                }
            }
@@ -421,7 +427,7 @@ dumpppp(f)
            show_time(f, c);
            break;
        default:
-           printf("?%.2x\n");
+           printf("?%.2x\n", c);
        }
     }
 }