The Tcpdump Group git mirrors

author	Denis Ovsienko <[email protected]>
	Wed, 16 Aug 2017 22:04:31 +0000 (23:04 +0100)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	5d0d76e88ee2d3236d7e032589d6f1d4ec5f7b1e
tree	2451a19aa00b915ff5f6a122406aaeef32945f14	tree
parent	5d340a5ca6e420a70297cdbdf777333f18bfdab7	commit \| diff

CVE-2017-13055/IS-IS: fix an Extended IS Reachability sub-TLV

In isis_print_is_reach_subtlv() one of the case blocks did not check that
the sub-TLV "V" is actually present and could over-read the input buffer.
Add a length check to fix that and remove a useless boundary check from
a loop because the boundary is tested for the full length of "V" before
the switch block.

Update one of the prior test cases as it turns out it depended on this
previously incorrect code path to make it to its own malformed structure
further down the buffer, the bugfix has changed its output.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-isoclns.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/isis-extd-isreach-oobr.out	[new file with mode: 0644]	blob
tests/isis-extd-isreach-oobr.pcap	[new file with mode: 0644]	blob
tests/isis-seg-fault-1-v.out		diff \| blob \| history