The Tcpdump Group git mirrors

author	Guy Harris <[email protected]>
	Thu, 23 Mar 2017 20:30:56 +0000 (13:30 -0700)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	ae83295915d08a854de27a88efac5dd7353e6d3f
tree	a95b2cb589b390ec8f945faac6b0e2a0e44581c5	tree
parent	e0d8ee571438c755ff988f70886f8c4f5e9a8434	commit \| diff

CVE-2017-13033/VTP: Add more bound and length checks.

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Update another VTP test's .out file for this change.

Don't treate a TLV type or length of 0 as invalid; a type of 0 should
just be reported as illegal if that type isn't used, and the length is
the length of the *value*, not the length of the entire TLV, so if it's
zero there won't be an infinite loop. (It's still not *legal*, as the
values of all the TLVs we handle are 1 16-bit word long; we added a
check for that.)

Update some comments while we're at it, to give a new URL for one Cisco
page and a non-Cisco URL for another former Cisco page (Cisco's UniverCD
pages don't seem to be available any more, and Cisco's robots.txt file
didn't allow the Wayback Machine to archive it).

print-vtp.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/vtp_asan-2.out		diff \| blob \| history
tests/vtp_asan-3.out	[new file with mode: 0644]	blob
tests/vtp_asan-3.pcap	[new file with mode: 0644]	blob