CVE-2017-5486/Do ND_TCHECK2 bounds checks on source and destination addresses.

Those are needed in addition to the checks against li.

This should fix GitHub issue #562.  I suspect issue #563 is a separate
problem.

Tweak length check messages to be more like the IS-IS ones, and fix both
to print unsigned values with %u, while we're at it.

diff --git a/print-isoclns.c b/print-isoclns.c
index 8232953f84b505c171f05a6e01a103a84042d167..9ee93d29e0373ae2b8efb072b626335fd88ceb44 100644 (file)
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -790,12 +790,16 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "version %d packet not supported", clnp_header->version));
             return (0);
         }
-        if (li < sizeof(struct clnp_header_t)) {
-            ND_PRINT((ndo, "li < size of fixed part of CLNP header"));
+
+       if (li > length) {
+            ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length));
             return (0);
-        }
-        if (li > length) {
-            ND_PRINT((ndo, "li > size of packet"));
+       }
+
+        if (li < sizeof(struct clnp_header_t)) {
+            ND_PRINT((ndo, " length indicator %u < min PDU size:", li));
+            while (pptr < ndo->ndo_snapend)
+                ND_PRINT((ndo, "%02X", *pptr++));
             return (0);
         }
 
@@ -819,6 +823,7 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses"));
             return (0);
         }
+        ND_TCHECK2(*pptr, dest_address_length);
         dest_address = pptr;
         pptr += dest_address_length;
         li -= dest_address_length;
@@ -835,6 +840,7 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses"));
             return (0);
         }
+        ND_TCHECK2(*pptr, source_address_length);
         source_address = pptr;
         pptr += source_address_length;
         li -= source_address_length;
@@ -1118,12 +1124,12 @@ esis_print(netdissect_options *ndo,
         }
 
        if (li > length) {
-            ND_PRINT((ndo, " length indicator(%d) > PDU size (%d)!", li, length));
+            ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length));
             return;
        }
 
        if (li < sizeof(struct esis_header_t) + 2) {
-            ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+            ND_PRINT((ndo, " length indicator %u < min PDU size:", li));
             while (pptr < ndo->ndo_snapend)
                 ND_PRINT((ndo, "%02X", *pptr++));
             return;