/* parse any tags we have in the packet */
uint32_t tag_length = 0;
- PPPOEDiscoveryTag* pppoedt = (PPPOEDiscoveryTag*) (p->pppoedh + PPPOE_DISCOVERY_HEADER_MIN_LEN);
+ const uint8_t* pkt_pppoedt = pkt + PPPOE_DISCOVERY_HEADER_MIN_LEN;
uint32_t pppoe_length = SCNtohs(p->pppoedh->pppoe_length);
uint32_t packet_length = len - PPPOE_DISCOVERY_HEADER_MIN_LEN ;
return TM_ECODE_OK;
}
- while (pppoedt < (PPPOEDiscoveryTag*) (pkt + (len - sizeof(PPPOEDiscoveryTag))) && pppoe_length >=4 && packet_length >=4)
+ // packet_length >= pppoe_length so we have enough data
+ while (pppoe_length >= sizeof(PPPOEDiscoveryTag))
{
+ PPPOEDiscoveryTag* pppoedt = (PPPOEDiscoveryTag*)pkt_pppoedt;
#ifdef DEBUG
uint16_t tag_type = SCNtohs(pppoedt->pppoe_tag_type);
#endif
+ // upgrade to u32 to avoid u16 overflow
tag_length = SCNtohs(pppoedt->pppoe_tag_length);
SCLogDebug ("PPPoE Tag type %x, length %"PRIu32, tag_type, tag_length);
if (pppoe_length >= (4 + tag_length)) {
pppoe_length -= (4 + tag_length);
+ pkt_pppoedt = pkt_pppoedt + (4 + tag_length);
} else {
pppoe_length = 0; // don't want an underflow
}
-
- if (packet_length >= 4 + tag_length) {
- packet_length -= (4 + tag_length);
- } else {
- packet_length = 0; // don't want an underflow
- }
-
- pppoedt = pppoedt + (4 + tag_length);
}
return TM_ECODE_OK;
projects / thirdparty / suricata.git / commitdiff
