From a24cccfd4abcda51db9f73f46d425c7c1e357a87 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
Date: Mon, 11 Mar 2019 22:07:06 +0100
Subject: [PATCH] IPX: Add a length check

This fix an undefined behavior at runtime.

The error was:
print-ipx.c:93:43: runtime error: unsigned integer overflow: 29 - 30
cannot be represented in type 'unsigned int'

Add a test case.
---
 print-ipx.c                   |   5 +++++
 tests/TESTLIST                |   3 +++
 tests/ipx-invalid-length.out  |   1 +
 tests/ipx-invalid-length.pcap | Bin 0 -> 100 bytes
 4 files changed, 9 insertions(+)
 create mode 100644 tests/ipx-invalid-length.out
 create mode 100644 tests/ipx-invalid-length.pcap

diff --git a/print-ipx.c b/print-ipx.c
index 674dd457..c724e87f 100644
--- a/print-ipx.c
+++ b/print-ipx.c
@@ -90,6 +90,11 @@ ipx_print(netdissect_options *ndo, const u_char *p, u_int length)
 	ND_TCHECK_2(ipx->length);
 	length = EXTRACT_BE_U_2(ipx->length);
 
+	if (length < ipxSize) {
+		ND_PRINT("[length %u < %u]", length, ipxSize);
+		nd_print_invalid(ndo);
+		return;
+	}
 	ipx_decode(ndo, ipx, p + ipxSize, length - ipxSize);
 	return;
 trunc:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 00fbe447..b666a0ef 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -93,6 +93,9 @@ e1000g		e1000g.pcap		e1000g.out
 # IPX/Netware packets
 ipx		ipx.pcap		ipx.out
 
+# IPX/Netware invalid
+ipx-invalid-length ipx-invalid-length.pcap ipx-invalid-length.out
+
 # IETF FORCES WG packets and printer
 forces01        forces1.pcap            forces1.out
 forces01vvv     forces1.pcap            forces1vvv.out  -v -v -v
diff --git a/tests/ipx-invalid-length.out b/tests/ipx-invalid-length.out
new file mode 100644
index 00000000..2904e8f9
--- /dev/null
+++ b/tests/ipx-invalid-length.out
@@ -0,0 +1 @@
+    1  16:41:40.226660 IPX 0a8808aa.00:00:00:00:00:01.0451 > 8dc23c00.18:00:3e:2b:68:56.402b: [length 29 < 30] (invalid)
diff --git a/tests/ipx-invalid-length.pcap b/tests/ipx-invalid-length.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c65e47aeeaf5c74e816edbefaef21d3d753dd8a8
GIT binary patch
literal 100
zcmca|c+)~A1{MYw`2U}Qff2}Y`L)A7rIeY$2FM0s4hB2zj4%df_lH_#44MxfFas6J
kG6?n_vSE+_OF3wBb#SZ#8^g#FXl#7Ij*;;yPzewK0J=dIvH$=8

literal 0
HcmV?d00001

-- 
2.39.5