Change #265855
| Category | tcpdump |
| Changed by | Sebastián Alba Vives <sebasjosue84@gmail.com> |
| Changed at | Tue 28 Apr 2026 21:33:26 |
| Repository | https://git.tcpdump.org/tcpdump |
| Project | tcpdump |
| Branch | master |
| Revision | 06db0837bd0c21be400b3f7ebeee00cd296462c2 |
Comments
isakmp: validate item_len before subtracting sizeof(ikev2_id)
In ikev2_ID_print(), item_len is read from the packet and used
directly in the subtraction:
idtype_len = item_len - sizeof(struct ikev2_id);
The caller only guarantees item_len > 4, but sizeof(struct ikev2_id)
is 8. When item_len is 5, 6, or 7, the subtraction underflows,
producing a large value that is then passed to nd_printjn() and
rawprint().
Add an explicit bounds check before the subtraction and print
'[payload too short]' when item_len is less than sizeof(struct ikev2_id).
Add regression tests for both the normal and the underflow cases.
Changed files
- print-isakmp.c
- tests/TESTLIST
- tests/ikev2-id-normal.out
- tests/ikev2-id-normal.pcap
- tests/ikev2-id-short.out
- tests/ikev2-id-short.pcap