Fix a crash that occurs when printing the filename in a malformed NFS

request packet.

From Kevin Reay who obtained the fix from the tcpdump.org repo (part of
commit 6191f36146f5d286304e9b6e893477fe509d83ab).

ok canacar@ sthen@

diff --git a/usr.sbin/tcpdump/print-nfs.c b/usr.sbin/tcpdump/print-nfs.c
index daf3a0f..3697e99 100644 (file)
--- a/usr.sbin/tcpdump/print-nfs.c
+++ b/usr.sbin/tcpdump/print-nfs.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: print-nfs.c,v 1.19 2015/01/16 06:40:21 deraadt Exp $  */
+/*     $OpenBSD: print-nfs.c,v 1.20 2015/10/15 02:33:25 lteo Exp $     */
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -381,9 +381,11 @@ parsefn(register const u_int32_t *dp)
        cp = (u_char *)dp;
        /* Update 32-bit pointer (NFS filenames padded to 32-bit boundaries) */
        dp += ((len + 3) & ~3) / sizeof(*dp);
-       /* XXX seems like we should be checking the length */
        putchar('"');
-       (void) fn_printn(cp, len, NULL);
+       if (fn_printn(cp, len, snapend)) {
+               putchar('"');
+               goto trunc;
+       }
        putchar('"');
 
        return (dp);