From: Guy Harris <guy@alum.mit.edu>
Date: Fri, 3 Jul 2015 19:26:18 +0000 (-0700)
Subject: CVE-2016-7974/Add an additional bounds check.
X-Git-Tag: tcpdump-4.9.0-bp~104
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/39988398861a5fe3f2a89d1f3ff55ad0f7be770b?ds=inline

CVE-2016-7974/Add an additional bounds check.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
---

diff --git a/print-ip.c b/print-ip.c
index f96ba559..cbcdab85 100644
--- a/print-ip.c
+++ b/print-ip.c
@@ -330,6 +330,10 @@ again:
 	switch (ipds->nh) {
 
 	case IPPROTO_AH:
+		if (!ND_TTEST(*ipds->cp)) {
+			ND_PRINT((ndo, "[|AH]"));
+			break;
+		}
 		ipds->nh = *ipds->cp;
 		ipds->advance = ah_print(ndo, ipds->cp);
 		if (ipds->advance <= 0)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 241dc91b..d4f4bac1 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -374,3 +374,4 @@ heapoverflow-atalk_print	heapoverflow-atalk_print.pcap	heapoverflow-atalk_print.
 heapoverflow-EXTRACT_16BITS	heapoverflow-EXTRACT_16BITS.pcap	heapoverflow-EXTRACT_16BITS.out	-t -v -n
 heapoverflow-ppp_hdlc_if_print	heapoverflow-ppp_hdlc_if_print.pcap	heapoverflow-ppp_hdlc_if_print.out	-t -v -n
 heapoverflow-sl_if_print	heapoverflow-sl_if_print.pcap	heapoverflow-sl_if_print.out	-t -v -n
+heapoverflow-ip_print_demux	heapoverflow-ip_print_demux.pcap	heapoverflow-ip_print_demux.out	-t -v -n
diff --git a/tests/heapoverflow-ip_print_demux.out b/tests/heapoverflow-ip_print_demux.out
new file mode 100644
index 00000000..af4a46d7
--- /dev/null
+++ b/tests/heapoverflow-ip_print_demux.out
@@ -0,0 +1,6 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+	0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+	0x0020:  3030                                     00
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto AH (51), length 12336, bad cksum 3030 (->697b)!)
+    48.48.48.48 > 48.48.48.48: AH(spi=0x30303030,sumlen=192,seq=0x30303030[truncated]): [|AH]
diff --git a/tests/heapoverflow-ip_print_demux.pcap b/tests/heapoverflow-ip_print_demux.pcap
new file mode 100644
index 00000000..c3ad2adb
Binary files /dev/null and b/tests/heapoverflow-ip_print_demux.pcap differ