If decode_prefix6() returns a negative number, don't print buf.

If it returns a negative number, it hasn't necessarily filled in buf, so
just return immediately; this is similar to the IPv4 code path, wherein
we just return a negative number, and print nothing, on an error.

This should fix GitHub issue #763.

CVE-2018-19519, CVE-2019-1010220
https://github.com/the-tcpdump-group/tcpdump/commit/511915bef7e4de2f31b8d9f581b4a44b0cfbcf53

Change-Id: I50c0b4bc2254917b19f5e1432a8242cb76a72237

diff --git a/print-hncp.c b/print-hncp.c
index 11a6a93..f5cf13f 100644 (file)
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
     } else {
         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
+        if (plenbytes < 0)
+            return plenbytes;
     }
 
     ND_PRINT((ndo, "%s", buf));