CVE-2016-7973/Add some bounds checks.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

diff --git a/print-atalk.c b/print-atalk.c
index 2a67499079d081a3bd247e7dbcc49503ea17e47a..59de3a670a3de30ce1ee6b6159f4f8d3ad4941d8 100644 (file)
--- a/print-atalk.c
+++ b/print-atalk.c
@@ -77,7 +77,14 @@ u_int
 ltalk_if_print(netdissect_options *ndo,
                const struct pcap_pkthdr *h, const u_char *p)
 {
-       return (llap_print(ndo, p, h->caplen));
+       u_int hdrlen;
+
+       hdrlen = llap_print(ndo, p, h->caplen);
+       if (hdrlen == 0) {
+               /* Cut short by the snapshot length. */
+               return (h->caplen);
+       }
+       return (hdrlen);
 }
 
 /*
@@ -93,6 +100,10 @@ llap_print(netdissect_options *ndo,
        u_short snet;
        u_int hdrlen;
 
+       if (!ND_TTEST2(*bp, sizeof(*lp))) {
+               ND_PRINT((ndo, " [|llap]"));
+               return (0);     /* cut short by the snapshot length */
+       }
        if (length < sizeof(*lp)) {
                ND_PRINT((ndo, " [|llap %u]", length));
                return (length);
@@ -104,6 +115,10 @@ llap_print(netdissect_options *ndo,
        switch (lp->type) {
 
        case lapShortDDP:
+               if (!ND_TTEST2(*bp, ddpSSize)) {
+                       ND_PRINT((ndo, " [|sddp]"));
+                       return (0);     /* cut short by the snapshot length */
+               }
                if (length < ddpSSize) {
                        ND_PRINT((ndo, " [|sddp %u]", length));
                        return (length);
@@ -120,6 +135,10 @@ llap_print(netdissect_options *ndo,
                break;
 
        case lapDDP:
+               if (!ND_TTEST2(*bp, ddpSize)) {
+                       ND_PRINT((ndo, " [|ddp]"));
+                       return (0);     /* cut short by the snapshot length */
+               }
                if (length < ddpSize) {
                        ND_PRINT((ndo, " [|ddp %u]", length));
                        return (length);
@@ -166,6 +185,10 @@ atalk_print(netdissect_options *ndo,
         if(!ndo->ndo_eflag)
             ND_PRINT((ndo, "AT "));
 
+       if (!ND_TTEST2(*bp, ddpSize)) {
+               ND_PRINT((ndo, " [|ddp]"));
+               return;
+       }
        if (length < ddpSize) {
                ND_PRINT((ndo, " [|ddp %u]", length));
                return;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 3eb0b56374d0fb2d337073876bd14626255b6bab..b5f00e6cd7ecc08aaa06674cc75191c6cc984c2a 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -370,3 +370,4 @@ bfd-raw-auth-sha1-v bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1-v.out -t -v
 # bad packets from Hanno Böck
 heap-overflow-1        heap-overflow-1.pcap            heap-overflow-1.out     -t -v -n
 heap-overflow-2        heap-overflow-2.pcap            heap-overflow-2.out     -t -v -n
+heapoverflow-atalk_print       heapoverflow-atalk_print.pcap   heapoverflow-atalk_print.out    -t -v -n

diff --git a/tests/heapoverflow-atalk_print.out b/tests/heapoverflow-atalk_print.out
new file mode 100644 (file)
index 0000000..0ddc641
--- /dev/null
+++ b/tests/heapoverflow-atalk_print.out
@@ -0,0 +1 @@
+et1 AT  [|ddp]

diff --git a/tests/heapoverflow-atalk_print.pcap b/tests/heapoverflow-atalk_print.pcap
new file mode 100644 (file)
index 0000000..f903527
Binary files /dev/null and b/tests/heapoverflow-atalk_print.pcap differ