From d722eee76c51a65c5449806c6fdacf2ac4f95055 Mon Sep 17 00:00:00 2001
From: Seonah Moon <seonah1.moon@samsung.com>
Date: Mon, 12 Aug 2019 11:03:14 +0900
Subject: [PATCH] If decode_prefix6() returns a negative number, don't print
 buf.

If it returns a negative number, it hasn't necessarily filled in buf, so
just return immediately; this is similar to the IPv4 code path, wherein
we just return a negative number, and print nothing, on an error.

This should fix GitHub issue #763.

CVE-2018-19519, CVE-2019-1010220
https://github.com/the-tcpdump-group/tcpdump/commit/511915bef7e4de2f31b8d9f581b4a44b0cfbcf53

Change-Id: I50c0b4bc2254917b19f5e1432a8242cb76a72237
---
 print-hncp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/print-hncp.c b/print-hncp.c
index 11a6a93..f5cf13f 100644
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
     } else {
         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
+        if (plenbytes < 0)
+            return plenbytes;
     }
 
     ND_PRINT((ndo, "%s", buf));
-- 
2.7.4