CVE-2016-7925/Add more bounds checks.

author Guy Harris <[email protected]>

Fri, 3 Jul 2015 19:05:26 +0000 (12:05 -0700)

committer Francois-Xavier Le Bail <[email protected]>

Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
author Guy Harris <[email protected]>
Fri, 3 Jul 2015 19:05:26 +0000 (12:05 -0700)
committer Francois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
diff --git a/print-sl.c b/print-sl.c

index ec81608b7b8b7a16be99d4c2502ac2fb87d59819..3fd7e898dee5c0eae63790f66ff8efd5a9a32f95 100644 (file)
--- a/print-sl.c
+++ b/print-sl.c
@@ -68,6 +68,7 @@ sl_if_print(netdissect_options *ndo,
                 return (caplen);
         }
  
                 return (caplen);
         }
  
+       caplen -= SLIP_HDRLEN;
         length -= SLIP_HDRLEN;
  
         ip = (const struct ip *)(p + SLIP_HDRLEN);
         length -= SLIP_HDRLEN;
  
         ip = (const struct ip *)(p + SLIP_HDRLEN);
@@ -75,6 +76,11 @@ sl_if_print(netdissect_options *ndo,
         if (ndo->ndo_eflag)
                 sliplink_print(ndo, p, ip, length);
  
         if (ndo->ndo_eflag)
                 sliplink_print(ndo, p, ip, length);
  
+       if (caplen < 1 || length < 1) {
+               ND_PRINT((ndo, "%s", tstr));
+               return (caplen + SLIP_HDRLEN);
+       }
+
         switch (IP_V(ip)) {
         case 4:
                 ip_print(ndo, (const u_char *)ip, length);
         switch (IP_V(ip)) {
         case 4:
                 ip_print(ndo, (const u_char *)ip, length);
diff --git a/tests/TESTLIST b/tests/TESTLIST

index 4f13b62ec0f6dcee42c5d055b0a58b6a49685493..241dc91bd778a82bc0917b2a7ce1d3ed85a13090 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -373,3 +373,4 @@ heap-overflow-2     heap-overflow-2.pcap            heap-overflow-2.out     -t -v -n
  heapoverflow-atalk_print       heapoverflow-atalk_print.pcap   heapoverflow-atalk_print.out    -t -v -n
  heapoverflow-EXTRACT_16BITS    heapoverflow-EXTRACT_16BITS.pcap        heapoverflow-EXTRACT_16BITS.out -t -v -n
  heapoverflow-ppp_hdlc_if_print heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-ppp_hdlc_if_print.out      -t -v -n
  heapoverflow-atalk_print       heapoverflow-atalk_print.pcap   heapoverflow-atalk_print.out    -t -v -n
  heapoverflow-EXTRACT_16BITS    heapoverflow-EXTRACT_16BITS.pcap        heapoverflow-EXTRACT_16BITS.out -t -v -n
  heapoverflow-ppp_hdlc_if_print heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-ppp_hdlc_if_print.out      -t -v -n
+heapoverflow-sl_if_print       heapoverflow-sl_if_print.pcap   heapoverflow-sl_if_print.out    -t -v -n
diff --git a/tests/heapoverflow-sl_if_print.out b/tests/heapoverflow-sl_if_print.out

new file mode 100644 (file)

index 0000000..4ddcf52
--- /dev/null
+++ b/tests/heapoverflow-sl_if_print.out
@@ -0,0 +1 @@
+[|slip]
diff --git a/tests/heapoverflow-sl_if_print.pcap b/tests/heapoverflow-sl_if_print.pcap

new file mode 100644 (file)

index 0000000..4541b1d

Binary files /dev/null and b/tests/heapoverflow-sl_if_print.pcap differ
author	Guy Harris <[email protected]>
	Fri, 3 Jul 2015 19:05:26 +0000 (12:05 -0700)
committer	Francois-Xavier Le Bail <[email protected]>
	Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
print-sl.c		patch \| blob \| history
tests/TESTLIST		patch \| blob \| history
tests/heapoverflow-sl_if_print.out	[new file with mode: 0644]	patch \| blob
tests/heapoverflow-sl_if_print.pcap	[new file with mode: 0644]	patch \| blob