The Tcpdump Group git mirrors

author	Guy Harris <[email protected]>
	Wed, 22 Mar 2017 04:49:45 +0000 (21:49 -0700)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	4601c685e7fd19c3724d5e499c69b8d3ec49933e
tree	4aa5d2c8b12aa0be5a83db8dffd541fce730e2bd	tree
parent	26a6799b9ca80508c05cac7a9a3bef922991520b	commit \| diff

CVE-2017-13019: Clean up PGM option processing.

Add #defines for option lengths or the lengths of the fixed-length part
of the option. Sometimes those #defines differ from what was there
before; what was there before was wrong, probably because the option
lengths given in RFC 3208 were sometimes wrong - some lengths included
the length of the option header, some lengths didn't.

Don't use "sizeof(uintXX_t)" for sizes in the packet, just use the
number of bytes directly.

For the options that include an IPv4 or IPv6 address, check the option
length against the length of what precedes the address before fetching
any of that data.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-pgm.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/pgm_opts_asan_2.out	[new file with mode: 0644]	blob
tests/pgm_opts_asan_2.pcap	[new file with mode: 0644]	blob