The Tcpdump Group git mirrors

author	Denis Ovsienko <[email protected]>
	Mon, 14 Aug 2017 23:05:32 +0000 (00:05 +0100)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	5d340a5ca6e420a70297cdbdf777333f18bfdab7
tree	eebe0f4161a304e24f438d466b036d04c286e183	tree
parent	bd4e697ebd6c8457efa8f28f6831fc929b88a014	commit \| diff

CVE-2017-13052/CFM: refine decoding of the Sender ID TLV

In cfm_network_addr_print() add a length argument and use it to validate
the input buffer.

In cfm_print() add a length check for MAC address chassis ID. Supply
cfm_network_addr_print() with the length of its buffer and a correct
pointer to the buffer (it was off-by-one before). Change some error
handling blocks to skip to the next TLV in the current PDU rather than to
stop decoding the PDU. Print the management domain and address contents,
although in hex only so far.

Add some comments to clarify the code flow and to tell exact sections in
IEEE standard documents. Add new error messages and make some existing
messages more specific.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-cfm.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/cfm_sender_id-oobr.out	[new file with mode: 0644]	blob
tests/cfm_sender_id-oobr.pcap	[new file with mode: 0644]	blob