The Tcpdump Group git mirrors

author	Guy Harris <[email protected]>
	Wed, 22 Mar 2017 04:49:45 +0000 (21:49 -0700)
committer	Denis Ovsienko <[email protected]>
	Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
commit	d1d4404ddb982f94f39876852cfc53a97a105b35
tree	3f5ed4d90327f776bdfbaf715c89d81335f42f97	tree
parent	ec7b673475be62ba50bf7c8adf956ec04ca07ec5	commit \| diff

CVE-2017-13019: Clean up PGM option processing.

Add #defines for option lengths or the lengths of the fixed-length part
of the option. Sometimes those #defines differ from what was there
before; what was there before was wrong, probably because the option
lengths given in RFC 3208 were sometimes wrong - some lengths included
the length of the option header, some lengths didn't.

Don't use "sizeof(uintXX_t)" for sizes in the packet, just use the
number of bytes directly.

For the options that include an IPv4 or IPv6 address, check the option
length against the length of what precedes the address before fetching
any of that data.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-pgm.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/pgm_opts_asan_2.out	[new file with mode: 0644]	blob
tests/pgm_opts_asan_2.pcap	[new file with mode: 0644]	blob