diff -cr ip_fil3.3.11/HISTORY ip_fil3.3.12/HISTORY *** ip_fil3.3.11/HISTORY Sat Mar 4 12:16:04 2000 --- ip_fil3.3.12/HISTORY Thu Mar 16 01:08:15 2000 *************** *** 20,25 **** --- 20,38 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.12 16/03/2000 - Released + + tighten up ftp proxy behaviour. sigh. yuck. hate. + + fix bug in range check for NAT where the last IP# was not used. + + fix problem with icmp codes > 127 in filter rules caused bad things to + happen and in particular, where #18 caused the rule to be printed + erroneously. + + fix bug with the spl level not being reset when returning EIO from + iplioctl due to ipfilter not being initialized yet. + 3.3.11 04/03/2000 - Released make "or-block" work with lines that start with "log" diff -cr ip_fil3.3.11/INSTALL.Sol2 ip_fil3.3.12/INSTALL.Sol2 *** ip_fil3.3.11/INSTALL.Sol2 Thu Aug 5 03:29:51 1999 --- ip_fil3.3.12/INSTALL.Sol2 Tue Mar 14 11:35:57 2000 *************** *** 12,26 **** make package ! This will build the package into SunOS5//root, copy that to ! /var/spool/pkg as a package and then start the installation using ! pkgadd. As part of the postinstall script, it will install loadable kernel module as part of Solaris 2 (using add_drv) making it available for immeadiate use. ! IP Filter will be installed into /opt/CYBSipf (programs, manual pages and ! examples) and create a directory /etc/opt/CYBSipf with a null body file called "ipf.conf" using touch. The rc scripts have been written to look for the configuration file here, using the installed binaries in /sbin. --- 12,26 ---- make package ! This will build the package into SunOS5//root, create a package ! file called "ipf.pkg" in the SunOS5 directory and then start the ! installation using pkgadd. As part of the postinstall script, it will install loadable kernel module as part of Solaris 2 (using add_drv) making it available for immeadiate use. ! IP Filter will be installed into /opt/ipf (programs, manual pages and ! examples) and create a directory /etc/opt/ipf with a null body file called "ipf.conf" using touch. The rc scripts have been written to look for the configuration file here, using the installed binaries in /sbin. diff -cr ip_fil3.3.11/SunOS5/pkginfo ip_fil3.3.12/SunOS5/pkginfo *** ip_fil3.3.11/SunOS5/pkginfo Sat Mar 4 12:16:05 2000 --- ip_fil3.3.12/SunOS5/pkginfo Thu Mar 16 01:08:17 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.11 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.12 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.11/ip_fil.c ip_fil3.3.12/ip_fil.c *** ip_fil3.3.11/ip_fil.c Tue Feb 22 22:40:06 2000 --- ip_fil3.3.12/ip_fil.c Wed Mar 8 01:41:39 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.18 2000/02/22 11:40:06 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.19 2000/03/07 14:41:39 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 432,450 **** SPL_NET(s); if (unit == IPL_LOGNAT) { ! if (!fr_running) ! return EIO; ! error = nat_ioctl(data, cmd, mode); SPL_X(s); return error; } if (unit == IPL_LOGSTATE) { ! if (!fr_running) ! return EIO; ! error = fr_state_ioctl(data, cmd, mode); SPL_X(s); return error; } switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG --- 432,454 ---- SPL_NET(s); if (unit == IPL_LOGNAT) { ! if (fr_running) ! error = nat_ioctl(data, cmd, mode); ! else ! error = EIO; SPL_X(s); return error; } + if (unit == IPL_LOGSTATE) { ! if (fr_running) ! error = fr_state_ioctl(data, cmd, mode); ! else ! error = EIO; SPL_X(s); return error; } + switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG diff -cr ip_fil3.3.11/ip_fil.h ip_fil3.3.12/ip_fil.h *** ip_fil3.3.11/ip_fil.h Wed Feb 23 22:16:36 2000 --- ip_fil3.3.12/ip_fil.h Wed Mar 8 22:43:30 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.8 2000/02/23 11:16:36 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.3.2.9 2000/03/08 11:43:30 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 185,191 **** u_short fr_skip; /* # of rules to skip */ u_short fr_loglevel; /* syslog log facility + priority */ int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ ! char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; #if BSD >= 199306 char fr_oifname[IFNAMSIZ]; --- 185,191 ---- u_short fr_skip; /* # of rules to skip */ u_short fr_loglevel; /* syslog log facility + priority */ int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ ! u_char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; #if BSD >= 199306 char fr_oifname[IFNAMSIZ]; diff -cr ip_fil3.3.11/ip_ftp_pxy.c ip_fil3.3.12/ip_ftp_pxy.c *** ip_fil3.3.11/ip_ftp_pxy.c Sun Nov 28 22:01:52 1999 --- ip_fil3.3.12/ip_ftp_pxy.c Thu Mar 16 00:56:30 2000 *************** *** 7,12 **** --- 7,13 ---- #endif #define isdigit(x) ((x) >= '0' && (x) <= '9') + #define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A') #define IPF_FTP_PROXY *************** *** 14,30 **** --- 15,37 ---- #define IPF_MAXPORTLEN 30 #define IPF_MIN227LEN 39 #define IPF_MAX227LEN 51 + #define IPF_FTPBUFSZ MAX(68,IPF_MAX227LEN) /* This *MUST* be >= 51! */ + /* 68 is chosen as the minimum datagram size for */ + /* an unfragmented packet */ int ippr_ftp_init __P((void)); + int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *)); int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *)); + int ippr_ftp_complete __P((char *, size_t)); u_short ipf_ftp_atoi __P((char **)); static frentry_t natfr; + int ippr_ftp_pasvonly = 0; /* *************** *** 39,44 **** --- 46,135 ---- } + int ippr_ftp_complete(buf, len) + char *buf; + size_t len; + { + register char *s, c; + register size_t i; + + if (len < 5) + return -1; + s = buf; + c = *s++; + i = len - 1; + + if (isdigit(c)) { + c = *s++; + i--; + if (isdigit(c)) { + c = *s++; + i--; + if (isdigit(c)) { + c = *s++; + i--; + if (c != '-' && c != ' ') + return -1; + } else + return -1; + } else + return -1; + } else if (isupper(c)) { + c = *s++; + i--; + if (isupper(c)) { + c = *s++; + i--; + if (isupper(c)) { + c = *s++; + i--; + if (isupper(c)) { + c = *s++; + i--; + if (c != ' ') + return -1; + } else + return -1; + } else + return -1; + } else + return -1; + } else + return -1; + + for (; i && (c = *s); i--, s++) { + if ((c == '\r') && (i != 2)) + return -1; + if ((c == '\n') && (i != 1)) + return -1; + else if ((i == 2) && (c != '\r')) + return -1; + else if ((i == 1) && (c != '\n')) + return -1; + } + return i; + } + + + int ippr_ftp_new(fin, ip, aps, nat) + fr_info_t *fin; + ip_t *ip; + ap_session_t *aps; + nat_t *nat; + { + ftpinfo_t *ftp; + + KMALLOC(ftp, ftpinfo_t *); + if (ftp == NULL) + return -1; + aps->aps_data = ftp; + aps->aps_psiz = sizeof(ftpinfo_t); + + ftp->ftp_passok = 0; + return 0; + } + + /* * ipf_ftp_atoi - implement a version of atoi which processes numbers in * pairs separated by commas (which are expected to be in the range 0 - 255), *************** *** 73,85 **** ip_t *ip; nat_t *nat; { ! char portbuf[IPF_MAXPORTLEN + 1], newbuf[IPF_MAXPORTLEN + 1], *s; tcphdr_t *tcp, tcph, *tcp2 = &tcph; size_t nlen = 0, dlen, olen; u_short a5, a6, sp, dp; u_int a1, a2, a3, a4; struct in_addr swip; int off, inc = 0; fr_info_t fi; nat_t *ipn; mb_t *m; --- 164,177 ---- ip_t *ip; nat_t *nat; { ! char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s; tcphdr_t *tcp, tcph, *tcp2 = &tcph; size_t nlen = 0, dlen, olen; u_short a5, a6, sp, dp; u_int a1, a2, a3, a4; struct in_addr swip; int off, inc = 0; + ftpinfo_t *ftp; fr_info_t fi; nat_t *ipn; mb_t *m; *************** *** 108,114 **** return 0; portbuf[sizeof(portbuf) - 1] = '\0'; *newbuf = '\0'; ! if (!strncmp(portbuf, "PORT ", 5)) { if (dlen < IPF_MINPORTLEN) return 0; } else --- 200,229 ---- return 0; portbuf[sizeof(portbuf) - 1] = '\0'; *newbuf = '\0'; ! ! /* ! * Check that a user is progressing through the login ok. ! */ ! if (ippr_ftp_complete(portbuf, dlen)) ! return 0; ! ftp = nat->nat_aps->aps_data; ! switch (ftp->ftp_passok) ! { ! case 0 : ! if (!strncmp(portbuf, "USER ", 5)) ! ftp->ftp_passok = 1; ! break; ! case 2 : ! if (!strncmp(portbuf, "PASS ", 5)) ! ftp->ftp_passok = 3; ! break; ! } ! if (ftp->ftp_passok != 4) ! return 0; ! /* ! * Check for client sending out PORT message. ! */ ! if (!ippr_ftp_pasvonly && !strncmp(portbuf, "PORT ", 5)) { if (dlen < IPF_MINPORTLEN) return 0; } else *************** *** 163,168 **** --- 278,284 ---- a4 = a1 & 0xff; a1 >>= 24; olen = s - portbuf; + /* DO NOT change this to sprintf! */ (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", "PORT", a1, a2, a3, a4, a5, a6); *************** *** 223,228 **** --- 339,350 ---- */ sp = htons(a5 << 8 | a6); /* + * Don't allow the PORT command to specify a port < 1024 due to + * security crap. + */ + if (ntohs(sp) < 1024) + return 0; + /* * The server may not make the connection back from port 20, but * it is the most likely so use it here to check for a conflicting * mapping. *************** *** 268,279 **** ip_t *ip; nat_t *nat; { ! char portbuf[IPF_MAX227LEN + 1], newbuf[IPF_MAX227LEN + 1], *s; int off, olen, dlen, nlen = 0, inc = 0; tcphdr_t tcph, *tcp2 = &tcph; struct in_addr swip, swip2; u_short a5, a6, dp, sp; u_int a1, a2, a3, a4; tcphdr_t *tcp; fr_info_t fi; nat_t *ipn; --- 390,402 ---- ip_t *ip; nat_t *nat; { ! char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s; int off, olen, dlen, nlen = 0, inc = 0; tcphdr_t tcph, *tcp2 = &tcph; struct in_addr swip, swip2; u_short a5, a6, dp, sp; u_int a1, a2, a3, a4; + ftpinfo_t *ftp; tcphdr_t *tcp; fr_info_t fi; nat_t *ipn; *************** *** 303,308 **** --- 426,460 ---- portbuf[sizeof(portbuf) - 1] = '\0'; *newbuf = '\0'; + /* + * Check that a user is progressing through the login ok. + * Don't put the switch in one common function because one side + * should only see numeric responses and the other commands. + */ + if (ippr_ftp_complete(portbuf, dlen)) + return 0; + ftp = nat->nat_aps->aps_data; + switch (ftp->ftp_passok) + { + case 1 : + if (!strncmp(portbuf, "331", 3)) + ftp->ftp_passok = 2; + else if (!strncmp(portbuf, "520", 3)) + ftp->ftp_passok = 0; + break; + case 3 : + if (!strncmp(portbuf, "230", 3)) + ftp->ftp_passok = 4; + break; + default : + break; + } + + if (ftp->ftp_passok != 4) + return 0; + /* + * Check for PASV reply message. + */ if (!strncmp(portbuf, "227 ", 4)) { if (dlen < IPF_MIN227LEN) return 0; diff -cr ip_fil3.3.11/ip_nat.c ip_fil3.3.12/ip_nat.c *** ip_fil3.3.11/ip_nat.c Mon Jan 24 23:43:40 2000 --- ip_fil3.3.12/ip_nat.c Thu Mar 9 01:17:26 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.13 2000/03/08 14:17:26 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 840,846 **** } if (np->in_flags & IPN_RANGE) { ! if (np->in_nip >= ntohl(np->in_outmsk)) np->in_nip = ntohl(np->in_outip); } else { if ((np->in_outmsk != 0xffffffff) && --- 840,846 ---- } if (np->in_flags & IPN_RANGE) { ! if (np->in_nip > ntohl(np->in_outmsk)) np->in_nip = ntohl(np->in_outip); } else { if ((np->in_outmsk != 0xffffffff) && diff -cr ip_fil3.3.11/ip_nat.h ip_fil3.3.12/ip_nat.h *** ip_fil3.3.11/ip_nat.h Mon Jan 24 23:44:24 2000 --- ip_fil3.3.12/ip_nat.h Thu Mar 16 00:57:03 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.1.2.4 2000/03/15 13:57:03 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 61,74 **** #define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ typedef struct nat { u_long nat_age; int nat_flags; u_32_t nat_sumd[2]; u_32_t nat_ipsumd; void *nat_data; ! void *nat_aps; /* proxy session */ ! frentry_t *nat_fr; /* filter rule ptr if appropriate */ struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ --- 61,76 ---- #define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ + struct ap_session; + typedef struct nat { u_long nat_age; int nat_flags; u_32_t nat_sumd[2]; u_32_t nat_ipsumd; void *nat_data; ! struct ap_session *nat_aps; /* proxy session */ ! struct frentry *nat_fr; /* filter rule ptr if appropriate */ struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ diff -cr ip_fil3.3.11/ip_proxy.c ip_fil3.3.12/ip_proxy.c *** ip_fil3.3.11/ip_proxy.c Wed Mar 1 09:47:17 2000 --- ip_fil3.3.12/ip_proxy.c Thu Mar 16 00:57:53 2000 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.3 2000/02/29 22:47:17 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.4 2000/03/15 13:57:53 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 100,107 **** ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY ! { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, NULL, ! ippr_ftp_in, ippr_ftp_out }, #endif #ifdef IPF_RCMD_PROXY { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, --- 100,107 ---- ap_session_t *ap_sess_list = NULL; aproxy_t ap_proxies[] = { #ifdef IPF_FTP_PROXY ! { "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, ! ippr_ftp_new, ippr_ftp_in, ippr_ftp_out }, #endif #ifdef IPF_RCMD_PROXY { "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, *************** *** 152,167 **** if (!aps) return NULL; bzero((char *)aps, sizeof(*aps)); - aps->aps_next = ap_sess_list; aps->aps_p = ip->ip_p; aps->aps_data = NULL; aps->aps_apr = apr; aps->aps_psiz = 0; - ap_sess_list = aps; - aps->aps_nat = nat; - nat->nat_aps = aps; if (apr->apr_new != NULL) ! (void) (*apr->apr_new)(fin, ip, aps, nat); return aps; } --- 152,169 ---- if (!aps) return NULL; bzero((char *)aps, sizeof(*aps)); aps->aps_p = ip->ip_p; aps->aps_data = NULL; aps->aps_apr = apr; aps->aps_psiz = 0; if (apr->apr_new != NULL) ! if ((*apr->apr_new)(fin, ip, aps, nat) == -1) { ! KFREE(aps); ! return NULL; ! } ! aps->aps_nat = nat; ! aps->aps_next = ap_sess_list; ! ap_sess_list = aps; return aps; } diff -cr ip_fil3.3.11/ip_proxy.h ip_fil3.3.12/ip_proxy.h *** ip_fil3.3.11/ip_proxy.h Tue Feb 22 22:41:15 2000 --- ip_fil3.3.12/ip_proxy.h Thu Mar 16 00:58:15 2000 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.1.2.2 2000/02/22 11:41:15 darrenr Exp $ */ #ifndef __IP_PROXY_H__ --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.1.2.3 2000/03/15 13:58:15 darrenr Exp $ */ #ifndef __IP_PROXY_H__ *************** *** 83,88 **** --- 83,95 ---- #define APR_DELETE 1 + + /* + * For the ftp proxy. + */ + typedef struct ftpinfo { + u_int ftp_passok; + } ftpinfo_t; /* * Real audio proxy structure and #defines diff -cr ip_fil3.3.11/ip_raudio_pxy.c ip_fil3.3.12/ip_raudio_pxy.c *** ip_fil3.3.11/ip_raudio_pxy.c Tue Dec 28 16:08:44 1999 --- ip_fil3.3.12/ip_raudio_pxy.c Thu Mar 16 00:58:54 2000 *************** *** 38,49 **** KMALLOCS(aps->aps_data, void *, sizeof(raudio_t)); ! if (aps->aps_data != NULL) { ! bzero(aps->aps_data, sizeof(raudio_t)); ! rap = aps->aps_data; ! aps->aps_psiz = sizeof(raudio_t); ! rap->rap_mode = RAP_M_TCP; /* default is for TCP */ ! } return 0; } --- 38,50 ---- KMALLOCS(aps->aps_data, void *, sizeof(raudio_t)); ! if (aps->aps_data == NULL) ! return -1; ! ! bzero(aps->aps_data, sizeof(raudio_t)); ! rap = aps->aps_data; ! aps->aps_psiz = sizeof(raudio_t); ! rap->rap_mode = RAP_M_TCP; /* default is for TCP */ return 0; } diff -cr ip_fil3.3.11/ipl.h ip_fil3.3.12/ipl.h *** ip_fil3.3.11/ipl.h Sat Mar 4 12:16:04 2000 --- ip_fil3.3.12/ipl.h Thu Mar 16 01:08:16 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.11" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.12" #endif diff -cr ip_fil3.3.11/parse.c ip_fil3.3.12/parse.c *** ip_fil3.3.11/parse.c Sat Mar 4 16:21:18 2000 --- ip_fil3.3.12/parse.c Wed Mar 8 22:43:55 2000 *************** *** 41,47 **** #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.11 2000/03/04 05:19:25 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 41,47 ---- #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.12 2000/03/08 11:43:55 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 1547,1553 **** type = ntohs(fp->fr_icmp); code = type & 0xff; type /= 256; ! if (type < (sizeof(icmptypes) / sizeof(char *)) && icmptypes[type]) printf(" icmp-type %s", icmptypes[type]); else --- 1547,1553 ---- type = ntohs(fp->fr_icmp); code = type & 0xff; type /= 256; ! if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && icmptypes[type]) printf(" icmp-type %s", icmptypes[type]); else