CVE-2016-7992/When comparing against an LLC+SNAP header, check only the bytes we...

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

Fix a length value to be unsigned while we're at it.

diff --git a/print-cip.c b/print-cip.c
index ea8adf621c875a86b71ee06742195f9d59790288..a123b69f51bf4f619ce9b04dab8924cbe699069d 100644 (file)
--- a/print-cip.c
+++ b/print-cip.c
@@ -33,8 +33,6 @@
 #include "netdissect.h"
 #include "addrtoname.h"
 
 #include "netdissect.h"
 #include "addrtoname.h"
 

-#define RFC1483LLC_LEN 8
-

 static const unsigned char rfcllc[] = {
        0xaa,   /* DSAP: non-ISO */
        0xaa,   /* SSAP: non-ISO */
 static const unsigned char rfcllc[] = {
        0xaa,   /* DSAP: non-ISO */
        0xaa,   /* SSAP: non-ISO */


@@ -44,12 +42,12 @@ static const unsigned char rfcllc[] = {
        0x00 };
 
 static inline void
        0x00 };
 
 static inline void

-cip_print(netdissect_options *ndo, int length)
+cip_print(netdissect_options *ndo, u_int length)

 {
        /*
         * There is no MAC-layer header, so just print the length.
         */
 {
        /*
         * There is no MAC-layer header, so just print the length.
         */

-       ND_PRINT((ndo, "%d: ", length));
+       ND_PRINT((ndo, "%u: ", length));

 }
 
 /*
 }
 
 /*


@@ -63,17 +61,23 @@ cip_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char
 {
        u_int caplen = h->caplen;
        u_int length = h->len;
 {
        u_int caplen = h->caplen;
        u_int length = h->len;

+       size_t cmplen;

        int llc_hdrlen;
 
        int llc_hdrlen;
 

-       if (memcmp(rfcllc, p, sizeof(rfcllc))==0 && caplen < RFC1483LLC_LEN) {
-               ND_PRINT((ndo, "[|cip]"));
-               return (0);
-       }
+       cmplen = sizeof(rfcllc);
+       if (cmplen > caplen)
+               cmplen = caplen;
+       if (cmplen > length)
+               cmplen = length;

 
        if (ndo->ndo_eflag)
                cip_print(ndo, length);
 
 
        if (ndo->ndo_eflag)
                cip_print(ndo, length);
 

-       if (memcmp(rfcllc, p, sizeof(rfcllc)) == 0) {
+       if (cmplen == 0) {
+               ND_PRINT((ndo, "[|cip]"));
+               return 0;
+       }
+       if (memcmp(rfcllc, p, cmplen) == 0) {

                /*
                 * LLC header is present.  Try to print it & higher layers.
                 */
                /*
                 * LLC header is present.  Try to print it & higher layers.
                 */

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 910689984f41d8cb5a7aa931442080c034113c62..3eb0b56374d0fb2d337073876bd14626255b6bab 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -369,3 +369,4 @@ bfd-raw-auth-sha1-v bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1-v.out -t -v
 
 # bad packets from Hanno Böck
 heap-overflow-1        heap-overflow-1.pcap            heap-overflow-1.out     -t -v -n
 
 # bad packets from Hanno Böck
 heap-overflow-1        heap-overflow-1.pcap            heap-overflow-1.out     -t -v -n

+heap-overflow-2        heap-overflow-2.pcap            heap-overflow-2.out     -t -v -n

diff --git a/tests/heap-overflow-2.out b/tests/heap-overflow-2.out
new file mode 100644 (file)
index 0000000..d2fd93f
--- /dev/null
+++ b/tests/heap-overflow-2.out
@@ -0,0 +1 @@
+IP3 [|ip]

diff --git a/tests/heap-overflow-2.pcap b/tests/heap-overflow-2.pcap
new file mode 100644 (file)
index 0000000..7770b95
Binary files /dev/null and b/tests/heap-overflow-2.pcap differ