CVE-2017-11108/Fix bounds checking for STP.

Check whether the flags are in the captured data before printing them in
an MSTP BPDU.

Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.

Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.

print-stp.c

@@ -256,6 +256,7 @@ stp_print_mstp_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
         return 1;
     }
 
+    ND_TCHECK(stp_bpdu->flags);
     ND_PRINT((ndo, "\n\tport-role %s, ",
            tok2str(rstp_obj_port_role_values, "Unknown",
                    RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
@@ -475,6 +476,7 @@ stp_print(netdissect_options *ndo, const u_char *p, u_int length)
             if (stp_bpdu->protocol_version == STP_PROTO_SPB)
             {
               /* Validate v4 length */
+              ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
               spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
               spb_len += 2;
               if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||

tests/TESTLIST

@@ -438,6 +438,7 @@ snmp-heapoverflow-1	snmp-heapoverflow-1.pcap	snmp-heapoverflow-1.out
 snmp-heapoverflow-2	snmp-heapoverflow-2.pcap	snmp-heapoverflow-2.out
 isoclns-heapoverflow-2	isoclns-heapoverflow-2.pcap	isoclns-heapoverflow-2.out	-e -c1
 isoclns-heapoverflow-3	isoclns-heapoverflow-3.pcap	isoclns-heapoverflow-3.out	-e -c1
+stp-v4-length-sigsegv	stp-v4-length-sigsegv.pcap	stp-v4-length-sigsegv.out
 
 # RTP tests
 # fuzzed pcap

tests/stp-v4-length-sigsegv.out

@@ -0,0 +1 @@
+STP 802.1aq, Rapid STP, CIST Flags [Learn, Forward], length 808464415[|stp 808464415]