CVE-2017-5482/Q.933: add a missing bounds check

Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.

diff --git a/print-fr.c b/print-fr.c
index f400ddcd4f59aee585351c5e3ec19b4976e18974..da7ee25f0ab42c3deac9efdec3cb8342d6f5ef7a 100644 (file)
--- a/print-fr.c
+++ b/print-fr.c
@@ -906,6 +906,7 @@ q933_print(netdissect_options *ndo,
        ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset));
 
        if (call_ref_length != 0) {
        ND_PRINT((ndo, "%s, codeset %u", is_ansi ? "ANSI" : "CCITT", codeset));
 
        if (call_ref_length != 0) {

+               ND_TCHECK(p[0]);

                if (call_ref_length > 1 || p[0] != 0) {
                        /*
                         * Not a dummy call reference.
                if (call_ref_length > 1 || p[0] != 0) {
                        /*
                         * Not a dummy call reference.

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5046046c7b30e70874dc60610ba3f0b5692ed90a..91c3b8a7b2b39205e90be68f1569d59d57032de0 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -424,6 +424,7 @@ ipv6hdr-heapoverflow        ipv6hdr-heapoverflow.pcap       ipv6hdr-heapoverflow.out        -t
 ipv6hdr-heapoverflow-v ipv6hdr-heapoverflow.pcap       ipv6hdr-heapoverflow-v.out      -t -v
 otv-heapoverflow-1     otv-heapoverflow-1.pcap         otv-heapoverflow-1.out          -t -c10
 otv-heapoverflow-2     otv-heapoverflow-2.pcap         otv-heapoverflow-2.out          -t -c10
 ipv6hdr-heapoverflow-v ipv6hdr-heapoverflow.pcap       ipv6hdr-heapoverflow-v.out      -t -v
 otv-heapoverflow-1     otv-heapoverflow-1.pcap         otv-heapoverflow-1.out          -t -c10
 otv-heapoverflow-2     otv-heapoverflow-2.pcap         otv-heapoverflow-2.out          -t -c10

+q933-heapoverflow-2    q933-heapoverflow-2.pcap        q933-heapoverflow-2.out         -t

 
 # RTP tests
 # fuzzed pcap
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/q933-heapoverflow-2.out b/tests/q933-heapoverflow-2.out
new file mode 100644 (file)
index 0000000..1a40c73
--- /dev/null
+++ b/tests/q933-heapoverflow-2.out
@@ -0,0 +1,24 @@
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x11), length 41: 
+       0x0000:  886b 68                                  .kh
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x14), length 160: 
+       0x0000:  a530 b0                                  .0.
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 5801792, Flags [none], NLPID unknown (0x11), length 179: 
+       0x0000:  886b 68                                  .kh
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 5769024, Flags [none], NLPID unknown (0x14), length 30: 
+       0x0000:  a530 b0                                  .0.
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 1856, Flags [none], NLPID unknown (0x11), length 85: 
+       0x0000:  886b 68                                  .kh
+Q.922, invalid address
+Q.922, invalid address
+UI 00! Q.922, hdr-len 4, DLCI 526144, Flags [none], NLPID unknown (0x14), length 46: 
+       0x0000:  a530 b0                                  .0.
+Q.922, invalid address
+UI 2c! Pad! Q.922, hdr-len 2, DLCI 288, Flags [none], NLPID NULL (0x00), length 24: 
+       0x0000:  1188 6b68                                ..kh
+Q.922, invalid address
+UI 2c! Pad! Q.933, CCITT, codeset 0[|q.933]

diff --git a/tests/q933-heapoverflow-2.pcap b/tests/q933-heapoverflow-2.pcap
new file mode 100644 (file)
index 0000000..c38c7b6
Binary files /dev/null and b/tests/q933-heapoverflow-2.pcap differ