From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 21 Feb 2017 21:40:19 +0000 (-0800)
Subject: CVE-2017-13000/IEEE 802.15.4: Fix bug introduced by previous fix.
X-Git-Tag: tcpdump-4.9.2~86
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/1ffd7948358ad5024e4f2a4e5ce19e475136ba78

CVE-2017-13000/IEEE 802.15.4: Fix bug introduced by previous fix.

We've already advanced the pointer past the PAN ID, if present; it now
points to the address, so don't add 2 to it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
---

diff --git a/print-802_15_4.c b/print-802_15_4.c
index a43d0333..a7817eb5 100644
--- a/print-802_15_4.c
+++ b/print-802_15_4.c
@@ -141,7 +141,7 @@ ieee802_15_4_if_print(netdissect_options *ndo,
 			return hdrlen;
 		}
 		if (ndo->ndo_vflag)
-			ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p + 2)));
+			ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(ndo, p)));
 		p += 8;
 		caplen -= 8;
 		hdrlen += 8;
diff --git a/tests/802_15_4-data.out b/tests/802_15_4-data.out
new file mode 100644
index 00000000..0e646751
--- /dev/null
+++ b/tests/802_15_4-data.out
@@ -0,0 +1 @@
+IEEE 802.15.4 Data packet seq 01 ab4d:10:05:00:81:00:01:00:01 < [|802.15.4]
diff --git a/tests/802_15_4-data.pcap b/tests/802_15_4-data.pcap
new file mode 100644
index 00000000..4a32784e
Binary files /dev/null and b/tests/802_15_4-data.pcap differ
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 7de31967..d51aa21c 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -485,6 +485,7 @@ pimv2-oobr-3		pimv2-oobr-3.pcap		pimv2-oobr-3.out		-vvv -e
 pimv2-oobr-4		pimv2-oobr-4.pcap		pimv2-oobr-4.out		-vvv -e
 802_15_4-oobr-1		802_15_4-oobr-1.pcap		802_15_4-oobr-1.out	-vvv -e
 802_15_4-oobr-2		802_15_4-oobr-2.pcap		802_15_4-oobr-2.out	-vvv -e
+802_15_4-data		802_15_4-data.pcap		802_15_4-data.out	-vvv -e
 
 # RTP tests
 # fuzzed pcap