CVE-2016-7985,7986/fixup medsa_print()

The code in medsa_print() assumed that the MEDSA packet always follows
an Ethernet header that is inside the allocated memory buffer. But
this is not always the case, see commit 6bc4429 for rationale.

Eliminate the Ethernet header pointer and just pass on the struct
lladdr_info arguments provided.

diff --git a/netdissect.h b/netdissect.h
index ed1a684239277cbe4f966a2a7d861876b0c33bfb..ac916c2a2e117160bb01fd5c23578dcdca075b72 100644 (file)
--- a/netdissect.h
+++ b/netdissect.h
@@ -547,7 +547,7 @@ extern void lwapp_control_print(netdissect_options *, const u_char *, u_int, int
 extern void lwapp_data_print(netdissect_options *, const u_char *, u_int);
 extern void lwres_print(netdissect_options *, const u_char *, u_int);
 extern void m3ua_print(netdissect_options *, const u_char *, const u_int);
-extern void medsa_print(netdissect_options *, const u_char *, u_int, u_int);
+extern void medsa_print(netdissect_options *, const u_char *, u_int, u_int, const struct lladdr_info *, const struct lladdr_info *);
 extern u_int mfr_print(netdissect_options *, register const u_char *, u_int);
 extern void mobile_print(netdissect_options *, const u_char *, u_int);
 extern int mobility_print(netdissect_options *, const u_char *, const u_char *);

diff --git a/print-ether.c b/print-ether.c
index 241c5070c9596896f9c02d835e5ad383089fb293..bbfd7e96991daf4d9cc8a3a80b4e785c164b263c 100644 (file)
--- a/print-ether.c
+++ b/print-ether.c
@@ -439,7 +439,7 @@ ethertype_print(netdissect_options *ndo,
                return (1);
 
        case ETHERTYPE_MEDSA:
-               medsa_print(ndo, p, length, caplen);
+               medsa_print(ndo, p, length, caplen, src, dst);
                return (1);
 
        case ETHERTYPE_LAT:

diff --git a/print-medsa.c b/print-medsa.c
index 005416f06f1ab7c08480ede1fb30c1585f2cb92e..4895fd94a41e488b54143cbd7dec5275bcc630d3 100644 (file)
--- a/print-medsa.c
+++ b/print-medsa.c
@@ -138,15 +138,13 @@ medsa_print_full(netdissect_options *ndo,
 
 void
 medsa_print(netdissect_options *ndo,
-           const u_char *bp, u_int length, u_int caplen)
+           const u_char *bp, u_int length, u_int caplen,
+           const struct lladdr_info *src, const struct lladdr_info *dst)
 {
-       register const struct ether_header *ep;
        const struct medsa_pkthdr *medsa;
-       struct lladdr_info src, dst;
        u_short ether_type;
 
        medsa = (const struct medsa_pkthdr *)bp;
-       ep = (const struct ether_header *)(bp - sizeof(*ep));
        ND_TCHECK(*medsa);
 
        if (!ndo->ndo_eflag)
@@ -159,14 +157,10 @@ medsa_print(netdissect_options *ndo,
        length -= 8;
        caplen -= 8;
 
-       src.addr = ESRC(ep);
-       src.addr_string = etheraddr_string;
-       dst.addr = EDST(ep);
-       dst.addr_string = etheraddr_string;
        ether_type = EXTRACT_16BITS(&medsa->ether_type);
        if (ether_type <= ETHERMTU) {
                /* Try to print the LLC-layer header & higher layers */
-               if (llc_print(ndo, bp, length, caplen, &src, &dst) < 0) {
+               if (llc_print(ndo, bp, length, caplen, src, dst) < 0) {
                        /* packet type not known, print raw packet */
                        if (!ndo->ndo_suppress_default_print)
                                ND_DEFAULTPRINT(bp, caplen);
@@ -177,8 +171,7 @@ medsa_print(netdissect_options *ndo,
                                  tok2str(ethertype_values, "Unknown",
                                          ether_type),
                                  ether_type));
-
-               if (ethertype_print(ndo, ether_type, bp, length, caplen, &src, &dst) == 0) {
+               if (ethertype_print(ndo, ether_type, bp, length, caplen, src, dst) == 0) {
                        /* ether_type not known, print raw packet */
                        if (!ndo->ndo_eflag)
                                ND_PRINT((ndo, "ethertype %s (0x%04x) ",