From: Guy Harris <guy@alum.mit.edu>
Date: Mon, 13 Jul 2015 23:52:51 +0000 (-0700)
Subject: CVE-2016-7929/Make sure a Juniper header TLV isn't bigger than what's left in the... 
X-Git-Tag: tcpdump-4.9.0-bp~78
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/5e48a557542817a3bd6d344a1b96a3c9ad8ccfb8

CVE-2016-7929/Make sure a Juniper header TLV isn't bigger than what's left in the packet.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
---

diff --git a/print-juniper.c b/print-juniper.c
index 4fb5453c..83ac372f 100644
--- a/print-juniper.c
+++ b/print-juniper.c
@@ -92,7 +92,7 @@ enum {
 };
 
 /* 1 byte type and 1-byte length */
-#define JUNIPER_EXT_TLV_OVERHEAD 2
+#define JUNIPER_EXT_TLV_OVERHEAD 2U
 
 static const struct tok jnx_ext_tlv_values[] = {
     { JUNIPER_EXT_TLV_IFD_IDX, "Device Interface Index" },
@@ -1203,9 +1203,11 @@ juniper_parse_header(netdissect_options *ndo,
             tlv_len = *(tptr++);
             tlv_value = 0;
 
-            /* sanity check */
+            /* sanity checks */
             if (tlv_type == 0 || tlv_len == 0)
                 break;
+            if (tlv_len+JUNIPER_EXT_TLV_OVERHEAD > jnx_ext_len)
+                goto trunc;
 
             if (ndo->ndo_vflag > 1)
                 ND_PRINT((ndo, "\n\t  %s Extension TLV #%u, length %u, value ",
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 7e37accc..eda358a6 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -399,3 +399,4 @@ stp-heapoverflow-3	stp-heapoverflow-3.pcap	stp-heapoverflow-3.out	-t -v -n
 stp-heapoverflow-4	stp-heapoverflow-4.pcap	stp-heapoverflow-4.out	-t -v -n
 stp-heapoverflow-5	stp-heapoverflow-5.pcap	stp-heapoverflow-5.out	-t -v -n
 arp-too-long-tha	arp-too-long-tha.pcap	arp-too-long-tha.out	-t -v -n
+juniper_header-heapoverflow	juniper_header-heapoverflow.pcap	juniper_header-heapoverflow.out	-t -v -n
diff --git a/tests/juniper_header-heapoverflow.out b/tests/juniper_header-heapoverflow.out
new file mode 100644
index 00000000..b13cfbee
--- /dev/null
+++ b/tests/juniper_header-heapoverflow.out
@@ -0,0 +1 @@
+[|juniper_hdr], length 808464432
diff --git a/tests/juniper_header-heapoverflow.pcap b/tests/juniper_header-heapoverflow.pcap
new file mode 100644
index 00000000..89cc3310
Binary files /dev/null and b/tests/juniper_header-heapoverflow.pcap differ