The total length of the OID is the OID length plus the length of the OID
length itself.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.
Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
if (tlen) {
oid_len = *tptr;
- if (tlen < oid_len) {
+ if (tlen < 1U + oid_len) {
return 0;
}
if (oid_len) {
isis_stlv_asan-2 isis_stlv_asan-2.pcap isis_stlv_asan-2.out -v
isis_stlv_asan-3 isis_stlv_asan-3.pcap isis_stlv_asan-3.out -v
isis_stlv_asan-4 isis_stlv_asan-4.pcap isis_stlv_asan-4.out -v
+lldp_mgmt_addr_tlv_asan lldp_mgmt_addr_tlv_asan.pcap lldp_mgmt_addr_tlv_asan.out -v
# RTP tests
# fuzzed pcap
--- /dev/null
+LLDP, length 1048572
+ Management Address TLV (8), length 15
+ Management Address length 6, AFI Reserved (0), no AF printer !
+ Unknown Interface Numbering (10): 666137427
+ [|LLDP]
+00:00:00:a0:d4:c3 > 06:04:e8:03:00:02, ethertype Unknown (0xb2a1), length 58785857:
+ 0x0000: 0200 efff e5ff 804f 006e 0026 0000 0000 .......O.n.&....
+ 0x0010: 01 .
projects / tcpdump / commitdiff
