CVE-2017-16808/AoE: Add a missing bounds check.

In aoev1_reserve_print() check bounds before trying to print an Ethernet
address.

Updated from a Denis Ovsienko's fix.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

diff --git a/print-aoe.c b/print-aoe.c
index cd0886719b50357a3556a681411742da10572db7..5acab319765637eb6291fbab21d9e379b103165c 100644 (file)
--- a/print-aoe.c
+++ b/print-aoe.c
@@ -328,6 +328,7 @@ aoev1_reserve_print(netdissect_options *ndo,
                goto invalid;
        /* addresses */
        for (i = 0; i < nmacs; i++) {
+               ND_TCHECK_LEN(cp, MAC_ADDR_LEN);
                ND_PRINT("\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp));
                cp += MAC_ADDR_LEN;
        }