From: Guy Harris <guy@alum.mit.edu>
Date: Sat, 14 Jan 2017 02:00:46 +0000 (-0800)
Subject: CVE-2017-5486/Do ND_TCHECK2 bounds checks on source and destination addresses.
X-Git-Tag: tcpdump-4.9.0-bp~14
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/b553848e3e2c0c466f65ab14e253af91467e561a?ds=inline

CVE-2017-5486/Do ND_TCHECK2 bounds checks on source and destination addresses.

Those are needed in addition to the checks against li.

This should fix GitHub issue #562.  I suspect issue #563 is a separate
problem.

Tweak length check messages to be more like the IS-IS ones, and fix both
to print unsigned values with %u, while we're at it.
---

diff --git a/print-isoclns.c b/print-isoclns.c
index 8232953f..9ee93d29 100644
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -790,12 +790,16 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "version %d packet not supported", clnp_header->version));
             return (0);
         }
-        if (li < sizeof(struct clnp_header_t)) {
-            ND_PRINT((ndo, "li < size of fixed part of CLNP header"));
+
+	if (li > length) {
+            ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length));
             return (0);
-        }
-        if (li > length) {
-            ND_PRINT((ndo, "li > size of packet"));
+	}
+
+        if (li < sizeof(struct clnp_header_t)) {
+            ND_PRINT((ndo, " length indicator %u < min PDU size:", li));
+            while (pptr < ndo->ndo_snapend)
+                ND_PRINT((ndo, "%02X", *pptr++));
             return (0);
         }
 
@@ -819,6 +823,7 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses"));
             return (0);
         }
+        ND_TCHECK2(*pptr, dest_address_length);
         dest_address = pptr;
         pptr += dest_address_length;
         li -= dest_address_length;
@@ -835,6 +840,7 @@ clnp_print(netdissect_options *ndo,
             ND_PRINT((ndo, "li < size of fixed part of CLNP header and addresses"));
             return (0);
         }
+        ND_TCHECK2(*pptr, source_address_length);
         source_address = pptr;
         pptr += source_address_length;
         li -= source_address_length;
@@ -1118,12 +1124,12 @@ esis_print(netdissect_options *ndo,
         }
 
 	if (li > length) {
-            ND_PRINT((ndo, " length indicator(%d) > PDU size (%d)!", li, length));
+            ND_PRINT((ndo, " length indicator(%u) > PDU size (%u)!", li, length));
             return;
 	}
 
 	if (li < sizeof(struct esis_header_t) + 2) {
-            ND_PRINT((ndo, " length indicator < min PDU size %d:", li));
+            ND_PRINT((ndo, " length indicator %u < min PDU size:", li));
             while (pptr < ndo->ndo_snapend)
                 ND_PRINT((ndo, "%02X", *pptr++));
             return;