]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb696b8)
CVE-2016-7973/Add bounds and length checks.
authorGuy Harris <[email protected]>
Sat, 4 Jul 2015 00:45:06 +0000 (17:45 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:36 +0000 (09:16 +0100)
Fixes heap overflows found with American Fuzzy Lop by Hanno Böck.

print-atalk.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/aarp-heapoverflow-1.out [new file with mode: 0644] patch | blob
tests/aarp-heapoverflow-1.pcap [new file with mode: 0644] patch | blob
tests/aarp-heapoverflow-2.out [new file with mode: 0644] patch | blob
tests/aarp-heapoverflow-2.pcap [new file with mode: 0644] patch | blob

diff --git a/print-atalk.c b/print-atalk.c
index 8460a4fd1cd8a74edcf7a7e04a7ec3d3e733b050..a5ce58a40845058c80a10e4fb92adc0ebff7b0f9 100644 (file)
--- a/print-atalk.c
+++ b/print-atalk.c
@@ -216,6 +216,15 @@ aarp_print(netdissect_options *ndo,
 
        ND_PRINT((ndo, "aarp "));
        ap = (const struct aarp *)bp;
+       if (!ND_TTEST(*ap)) {
+               /* Just bail if we don't have the whole chunk. */
+               ND_PRINT((ndo, " [|aarp]"));
+               return;
+       }
+       if (length < sizeof(*ap)) {     
+               ND_PRINT((ndo, " [|aarp %u]", length));
+               return;
+       }
        if (EXTRACT_16BITS(&ap->htype) == 1 &&
            EXTRACT_16BITS(&ap->ptype) == ETHERTYPE_ATALK &&
            ap->halen == 6 && ap->palen == 4 )
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 0442e23013b2be2f502047ac2dae04ecf43c23fc..e601f59aae8b7d181450cfc3875d34f7abe5a8ff 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -389,3 +389,5 @@ tcp_header_heapoverflow     tcp_header_heapoverflow.pcap    tcp_header_heapoverflow.out
 ipcomp-heapoverflow    ipcomp-heapoverflow.pcap        ipcomp-heapoverflow.out -t -v -n
 llc-xid-heapoverflow   llc-xid-heapoverflow.pcap       llc-xid-heapoverflow.out        -t -v -n
 udp-length-heapoverflow        udp-length-heapoverflow.pcap    udp-length-heapoverflow.out     -t -v -n
+aarp-heapoverflow-1    aarp-heapoverflow-1.pcap        aarp-heapoverflow-1.out -t -v -n
+aarp-heapoverflow-2    aarp-heapoverflow-2.pcap        aarp-heapoverflow-2.out -t -v -n
diff --git a/tests/aarp-heapoverflow-1.out b/tests/aarp-heapoverflow-1.out
new file mode 100644 (file)
index 0000000..a562223
--- /dev/null
+++ b/tests/aarp-heapoverflow-1.out
@@ -0,0 +1 @@
+aarp  [|aarp]
diff --git a/tests/aarp-heapoverflow-1.pcap b/tests/aarp-heapoverflow-1.pcap
new file mode 100644 (file)
index 0000000..2524efa
Binary files /dev/null and b/tests/aarp-heapoverflow-1.pcap differ
diff --git a/tests/aarp-heapoverflow-2.out b/tests/aarp-heapoverflow-2.out
new file mode 100644 (file)
index 0000000..a562223
--- /dev/null
+++ b/tests/aarp-heapoverflow-2.out
@@ -0,0 +1 @@
+aarp  [|aarp]
diff --git a/tests/aarp-heapoverflow-2.pcap b/tests/aarp-heapoverflow-2.pcap
new file mode 100644 (file)
index 0000000..d1b2679
Binary files /dev/null and b/tests/aarp-heapoverflow-2.pcap differ
[mirror] the TCPdump network dissector