CVE-2016-7926/Do some additional bounds checking before calling isoclns_print().

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

diff --git a/print-ether.c b/print-ether.c
index 59d15c24481a509f5c27fb9682fded67fca65a11..5072c442f74240bf64c89e1aa97e5351e9bdb9a8 100644 (file)
--- a/print-ether.c
+++ b/print-ether.c
@@ -360,7 +360,11 @@ ethertype_print(netdissect_options *ndo,
                return (1);
 
        case ETHERTYPE_ISO:
-               isoclns_print(ndo, p + 1, length - 1, length - 1);
+               if (length == 0 || caplen == 0) {
+                       ND_PRINT((ndo, " [|osi]"));
+                       return (1);
+               }
+               isoclns_print(ndo, p + 1, length - 1, caplen - 1);
                return(1);
 
        case ETHERTYPE_PPPOED:

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 1bcd7b3c8ca815a8c91f6035f35167cef9d17e4b..169750ec7766ac3424a6c99655d9461e11af4fcd 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -382,3 +382,4 @@ gre-heapoverflow-2  gre-heapoverflow-2.pcap gre-heapoverflow-2.out  -t -v -n
 calm-fast-mac-lookup-heapoverflow      calm-fast-mac-lookup-heapoverflow.pcap  calm-fast-mac-lookup-heapoverflow.out   -t -v -n
 geonet-mac-lookup-heapoverflow geonet-mac-lookup-heapoverflow.pcap     geonet-mac-lookup-heapoverflow.out      -t -v -n
 radiotap-heapoverflow  radiotap-heapoverflow.pcap      radiotap-heapoverflow.out -t -v -n
+isoclns-heapoverflow   isoclns-heapoverflow.pcap       isoclns-heapoverflow.out        -t -v -n

diff --git a/tests/isoclns-heapoverflow.out b/tests/isoclns-heapoverflow.out
new file mode 100644 (file)
index 0000000..c2cfdfb
--- /dev/null
+++ b/tests/isoclns-heapoverflow.out
@@ -0,0 +1 @@
+|OSI

diff --git a/tests/isoclns-heapoverflow.pcap b/tests/isoclns-heapoverflow.pcap
new file mode 100644 (file)
index 0000000..6ddf661
Binary files /dev/null and b/tests/isoclns-heapoverflow.pcap differ