@@ -182,7 +182,9 @@ eap_print(netdissect_options *ndo,
182182
183183 switch (eap -> type ) {
184184 case EAP_FRAME_TYPE_PACKET :
185+ ND_TCHECK_8BITS (tptr );
185186 type = * (tptr );
187+ ND_TCHECK_16BITS (tptr + 2 );
186188 len = EXTRACT_16BITS (tptr + 2 );
187189 ND_PRINT ((ndo , ", %s (%u), id %u, len %u" ,
188190 tok2str (eap_code_values , "unknown" , type ),
@@ -193,10 +195,11 @@ eap_print(netdissect_options *ndo,
193195 ND_TCHECK2 (* tptr , len );
194196
195197 if (type <= 2 ) { /* For EAP_REQUEST and EAP_RESPONSE only */
198+ ND_TCHECK_8BITS (tptr + 4 );
196199 subtype = * (tptr + 4 );
197200 ND_PRINT ((ndo , "\n\t\t Type %s (%u)" ,
198- tok2str (eap_type_values , "unknown" , * ( tptr + 4 ) ),
199- * ( tptr + 4 ) ));
201+ tok2str (eap_type_values , "unknown" , subtype ),
202+ subtype ));
200203
201204 switch (subtype ) {
202205 case EAP_TYPE_IDENTITY :
@@ -222,6 +225,7 @@ eap_print(netdissect_options *ndo,
222225 * type one octet per type
223226 */
224227 while (count < len ) {
228+ ND_TCHECK_8BITS (tptr + count );
225229 ND_PRINT ((ndo , " %s (%u)," ,
226230 tok2str (eap_type_values , "unknown" , * (tptr + count )),
227231 * (tptr + count )));
@@ -230,26 +234,31 @@ eap_print(netdissect_options *ndo,
230234 break ;
231235
232236 case EAP_TYPE_TTLS :
233- ND_PRINT ((ndo , " TTLSv%u" ,
234- EAP_TTLS_VERSION (* (tptr + 5 )))); /* fall through */
235237 case EAP_TYPE_TLS :
238+ ND_TCHECK_8BITS (tptr + 5 );
239+ if (subtype == EAP_TYPE_TTLS )
240+ ND_PRINT ((ndo , " TTLSv%u" ,
241+ EAP_TTLS_VERSION (* (tptr + 5 ))));
236242 ND_PRINT ((ndo , " flags [%s] 0x%02x," ,
237243 bittok2str (eap_tls_flags_values , "none" , * (tptr + 5 )),
238244 * (tptr + 5 )));
239245
240246 if (EAP_TLS_EXTRACT_BIT_L (* (tptr + 5 ))) {
247+ ND_TCHECK_32BITS (tptr + 6 );
241248 ND_PRINT ((ndo , " len %u" , EXTRACT_32BITS (tptr + 6 )));
242249 }
243250 break ;
244251
245252 case EAP_TYPE_FAST :
253+ ND_TCHECK_8BITS (tptr + 5 );
246254 ND_PRINT ((ndo , " FASTv%u" ,
247255 EAP_TTLS_VERSION (* (tptr + 5 ))));
248256 ND_PRINT ((ndo , " flags [%s] 0x%02x," ,
249257 bittok2str (eap_tls_flags_values , "none" , * (tptr + 5 )),
250258 * (tptr + 5 )));
251259
252260 if (EAP_TLS_EXTRACT_BIT_L (* (tptr + 5 ))) {
261+ ND_TCHECK_32BITS (tptr + 6 );
253262 ND_PRINT ((ndo , " len %u" , EXTRACT_32BITS (tptr + 6 )));
254263 }
255264
@@ -258,6 +267,7 @@ eap_print(netdissect_options *ndo,
258267
259268 case EAP_TYPE_AKA :
260269 case EAP_TYPE_SIM :
270+ ND_TCHECK_8BITS (tptr + 5 );
261271 ND_PRINT ((ndo , " subtype [%s] 0x%02x," ,
262272 tok2str (eap_aka_subtype_values , "unknown" , * (tptr + 5 )),
263273 * (tptr + 5 )));
0 commit comments