The Tcpdump Group git mirrors

author	Guy Harris <[email protected]>
	Sat, 4 Feb 2017 11:13:18 +0000 (03:13 -0800)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	66df248b49095c261138b5a5e34d341a6bf9ac7f
tree	0a3d2c754c3a71eb69dbbffe2baeddbcbd8024e9	tree
parent	0318fa8b61bd6c837641129d585f1a73c652b1e0	commit \| diff

CVE-2017-12985/IPv6: Check for print routines returning -1 when running past the end.

rt6_print(), ah_print(), and esp_print() return -1 if they run up
against the end of the packet while dissecting; if that happens, stop
dissecting, don't try to fetch the next header value, because 1) *it*
might be past the end of the packet and 2) we won't be using it in any
case, as we'll be exiting the loop.

Also, change mobility_print() to return -1 if it runs up against the
end of the packet, and stop dissecting if it does so.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add tests using the capture files supplied by the reporter(s).

print-ip6.c		diff \| blob \| history
print-mobility.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/ipv6-next-header-oobr-1.out	[new file with mode: 0644]	blob
tests/ipv6-next-header-oobr-1.pcap	[new file with mode: 0644]	blob
tests/ipv6-next-header-oobr-2.out	[new file with mode: 0644]	blob
tests/ipv6-next-header-oobr-2.pcap	[new file with mode: 0644]	blob