CVE-2017-13687/CHDLC: Improve bounds and length checks.

[tcpdump] / print-ppp.c

diff --git a/print-ppp.c b/print-ppp.c
index 078f6a56c02a3bae4857b4cd80aaaf30c6453dd5..b30f224c80529ba16d3aa1a12be4b767003eddae 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -22,6 +22,8 @@
  * complete PPP support.
  */
 
+/* \summary: Point to Point Protocol (PPP) printer */
+
 /*
  * TODO:
  * o resolve XXX as much as possible
@@ -942,6 +944,9 @@ handle_pap(netdissect_options *ndo,
 
        switch (code) {
        case PAP_AREQ:
+               /* A valid Authenticate-Request is 6 or more octets long. */
+               if (len < 6)
+                       goto trunc;
                if (length - (p - p0) < 1)
                        return;
                ND_TCHECK(*p);
@@ -970,6 +975,13 @@ handle_pap(netdissect_options *ndo,
                break;
        case PAP_AACK:
        case PAP_ANAK:
+               /* Although some implementations ignore truncation at
+                * this point and at least one generates a truncated
+                * packet, RFC 1334 section 2.2.2 clearly states that
+                * both AACK and ANAK are at least 5 bytes long.
+                */
+               if (len < 5)
+                       goto trunc;
                if (length - (p - p0) < 1)
                        return;
                ND_TCHECK(*p);
@@ -1252,7 +1264,7 @@ print_ccp_config_options(netdissect_options *ndo,
                ND_TCHECK2(*(p + 2), 1);
                ND_PRINT((ndo, ": Window: %uK, Method: %s (0x%x), MBZ: %u, CHK: %u",
                        (p[2] & 0xf0) >> 4,
-                       ((p[2] & 0x0f) == 8) ? "zlib" : "unkown",
+                       ((p[2] & 0x0f) == 8) ? "zlib" : "unknown",
                        p[2] & 0x0f, (p[3] & 0xfc) >> 2, p[3] & 0x03));
                break;
 
@@ -1669,6 +1681,11 @@ ppp_hdlc_if_print(netdissect_options *ndo,
                return (chdlc_if_print(ndo, h, p));
 
        default:
+               if (caplen < 4) {
+                       ND_PRINT((ndo, "[|ppp]"));
+                       return (caplen);
+               }
+
                if (ndo->ndo_eflag)
                        ND_PRINT((ndo, "%02x %02x %d ", p[0], p[1], length));
                p += 2;