MFV r277782:

Merge some cherry-picked fixes originating in OpenBSD

Check whether the version field is available before looking at it.
While we're at it, use ND_TCHECK(), rather than a hand-rolled check, to
check whether we have the full fixed-length portion of the IPv4 header.

commit c67afe913011138a2504ec4d3d423b48e73b12f3

Do more length checking. From OpenBSD.

commit d7516761f9c4877bcb05bb6543be3543e165249

2 files changed, 8 insertions, 5 deletions

diff --git a/contrib/tcpdump/print-ip.c b/contrib/tcpdump/print-ip.c
index bfd2c75758a45..1add0c76335eb 100644
--- a/contrib/tcpdump/print-ip.c
+++ b/contrib/tcpdump/print-ip.c
@@ -537,6 +537,7 @@ ip_print(netdissect_options *ndo,
 	struct protoent *proto;
 
 	ipds->ip = (const struct ip *)bp;
+	ND_TCHECK(ipds->ip->ip_vhl);
 	if (IP_V(ipds->ip) != 4) { /* print version if != 4 */
 	    ND_PRINT((ndo, "IP%u ", IP_V(ipds->ip)));
 	    if (IP_V(ipds->ip) == 6)
@@ -545,10 +546,7 @@ ip_print(netdissect_options *ndo,
 	else if (!ndo->ndo_eflag)
 		ND_PRINT((ndo, "IP "));
 
-	if ((u_char *)(ipds->ip + 1) > ndo->ndo_snapend) {
-		ND_PRINT((ndo, "%s", tstr));
-		return;
-	}
+	ND_TCHECK(*ipds->ip);
 	if (length < sizeof (struct ip)) {
 		ND_PRINT((ndo, "truncated-ip %u", length));
 		return;
@@ -677,6 +675,11 @@ ip_print(netdissect_options *ndo,
 				ND_PRINT((ndo, " ip-proto-%d", ipds->ip->ip_p));
 		}
 	}
+	return;
+
+trunc:
+	ND_PRINT((ndo, "%s", tstr));
+	return;
 }
 
 void
diff --git a/contrib/tcpdump/print-sl.c b/contrib/tcpdump/print-sl.c
index 40a1ed5daeacd..6b5d254415883 100644
--- a/contrib/tcpdump/print-sl.c
+++ b/contrib/tcpdump/print-sl.c
@@ -64,7 +64,7 @@ sl_if_print(netdissect_options *ndo,
 	register u_int length = h->len;
 	register const struct ip *ip;
 
-	if (caplen < SLIP_HDRLEN) {
+	if (caplen < SLIP_HDRLEN || length < SLIP_HDRLEN) {
 		ND_PRINT((ndo, "%s", tstr));
 		return (caplen);
 	}