Commit Graph

366 Commits

Author SHA1 Message Date
Guy Harris
e0a5a02b0f CVE-2017-13039/IKEv1: Do more bounds checking.
Have ikev1_attrmap_print() and ikev1_attr_print() do full bounds
checking, and return null on a bounds overflow.  Have their callers
check for a null return.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
7335163a6e CVE-2017-13038/PPP: Do bounds checking.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by Katie Holly.
2017-09-13 12:25:44 +01:00
Guy Harris
2c2cfbd2b7 CVE-2017-13037/IP: Add bounds checks when printing time stamp options.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
c2f3b23b02 IPv6 mobility: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
ff3bcafccf PIM: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
88b2dac837 CVE-2017-13036/OSPFv3: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
571a6f33f4 CVE-2017-13035/Properly handle IS-IS IDs shorter than a system ID (MAC address).
Some of them are variable-length, with a field giving the total length,
and therefore they can be shorter than 6 octets.  If one is, don't run
past the end.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
da6f1a677b CVE-2017-13034/PGM: Add a bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Move a return to make the code a bit cleaner (i.e., make it more obvious
that if we don't have enough of the PGM header, we just print the source
and destination IP addresses, mark it as incomplete PGM, and don't try
to look at the PGM header).
2017-09-13 12:25:44 +01:00
Guy Harris
fe5ad997c4 IPv6 mobility: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
ae83295915 CVE-2017-13033/VTP: Add more bound and length checks.
This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Update another VTP test's .out file for this change.

Don't treate a TLV type or length of 0 as invalid; a type of 0 should
just be reported as illegal if that type isn't used, and the length is
the length of the *value*, not the length of the entire TLV, so if it's
zero there won't be an infinite loop.  (It's still not *legal*, as the
values of all the TLVs we handle are 1 16-bit word long; we added a
check for that.)

Update some comments while we're at it, to give a new URL for one Cisco
page and a non-Cisco URL for another former Cisco page (Cisco's UniverCD
pages don't seem to be available any more, and Cisco's robots.txt file
didn't allow the Wayback Machine to archive it).
2017-09-13 12:25:44 +01:00
Guy Harris
e0d8ee5714 IPv6 mobility: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
d692d67332 CVE-2017-13020/VTP: Add another test.
A capture file supplied by Bhargava Shastry, modified so the capture
file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
66e22961b3 CVE-2017-13028/BOOTP: Add another test.
A capture file supplied by Bhargava Shastry, modified so the capture
file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
1bc78d795c CVE-2017-13032/RADIUS: Check whether a byte exists before testing its value.
Reverse the test in a for loop to test the length before testing whether
we have a null byte.

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Clean up other length tests while we're at it.
2017-09-13 12:25:44 +01:00
Guy Harris
0f1735981d PGM: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
2d669862df CVE-2017-13031/Check for the presence of the entire IPv6 fragment header.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Clean up some whitespace in tests/TESTLIST while we're at it.
2017-09-13 12:25:44 +01:00
Guy Harris
eb8c0d4636 PIM: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
1059786ba6 IPv6 mobility: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
6c9fa7f834 PIM: Add another test.
Add a test using the capture file supplied by Bhargava Shastry, modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
5dc1860d82 CVE-2017-13030/PIM: Redo bounds checks and add length checks.
Use ND_TCHECK macros to do bounds checking, and add length checks before
the bounds checks.

Add a bounds check that the review process found was missing.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Update one test output file to reflect the changes.
2017-09-13 12:25:44 +01:00
Guy Harris
7029d15f14 CVE-2017-13029/PPP: Fix a bounds check, and clean up other bounds checks.
For configuration protocol options, use ND_TCHECK() and
ND_TCHECK_nBITS() macros, passing them the appropriate pointer argument.
This fixes one case where the ND_TCHECK2() call they replace was not
checking enough bytes.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
29e5470e6a CVE-2017-13028/BOOTP: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
2017-09-13 12:25:44 +01:00
Guy Harris
a77ff09c46 CVE-2017-13027/LLDP: Fix a bounds check.
The total length of the OID is the OID length plus the length of the OID
length itself.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
b20e1639db CVE-2017-13026/IS-IS: Clean up processing of subTLVs.
Add bounds checks, do a common check to make sure we captured the entire
subTLV, add checks to make sure the subTLV fits within the TLV.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.

Update existing tests for changes to IS-IS dissector.
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
2e1f6d9320 CVE-2017-13024/IPv6 mobility: Add another test for a previous bounds check fix
This is another capture file supplied by Bhargava Shastry, modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
5338aac7b8 CVE-2017-13025/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
7d3aba9f06 CVE-2017-13024/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
b8e559afae CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
2017-09-13 12:25:44 +01:00
Guy Harris
eee0b04bcf CVE-2017-13022/IP: Add bounds checks to ip_printroute().
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
67c7126062 CVE-2017-13021/ICMP6: Add a missing bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
c5dd7bef5e CVE-2017-13020/VTP: Add some missing bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
4601c685e7 CVE-2017-13019: Clean up PGM option processing.
Add #defines for option lengths or the lengths of the fixed-length part
of the option.  Sometimes those #defines differ from what was there
before; what was there before was wrong, probably because the option
lengths given in RFC 3208 were sometimes wrong - some lengths included
the length of the option header, some lengths didn't.

Don't use "sizeof(uintXX_t)" for sizes in the packet, just use the
number of bytes directly.

For the options that include an IPv4 or IPv6 address, check the option
length against the length of what precedes the address before fetching
any of that data.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
26a6799b9c CVE-2017-13018/PGM: Add a missing bounds check.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
11b426ee05 CVE-2017-13017/DHCPv6: Add a missing option length check.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
c177cb3800 CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs.
Always print the SNPA, and flag it as such; only print it as a MAC
address if it's 6 bytes long.

Identify the NET as such.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
9851220811 CVE-2017-13015/EAP: Add more bounds checks.
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
cc356512f5 CVE-2017-13014/White Board: Do more bounds checks.
This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

While we're at it, print a truncation error if the packets are
truncated, rather than just, in effect, ignoring the result of the
routines that print particular packet types.
2017-09-13 12:25:44 +01:00
Guy Harris
13ab8d1861 CVE-2017-13013/ARP: Fix printing of ARP protocol addresses.
If the protocol type isn't ETHERTYPE_IP or ETHERTYPE_TRAIL, or if the
protocol address length isn't 4, don't print the address as an IPv4 address.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

Update another test file's tcpdump output to reflect this change.
2017-09-13 12:25:44 +01:00
Guy Harris
8509ef02ec CVE-2017-13012/ICMP: Add a missing bounds check.
Check before fetching the length from the included packet's IPv4 header.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
9f0730bee3 CVE-2017-13011/Properly check for buffer overflow in bittok2str_internal().
Also, make the buffer bigger.

This fixes a buffer overflow discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-13 12:25:44 +01:00
Guy Harris
877b66b398 CVE-2017-13010/BEEP: Do bounds checking when comparing strings.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
db8c799f6d CVE-2017-13009/IPv6 mobility: Add a bounds check.
This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by the reporter(s).

While we're at it:

Add a comment giving the RFC for IPv6 mobility headers.

Clean up some bounds checks to make it clearer what they're checking, by
matching the subsequent EXTRACT_ calls or memcpy.

For the binding update, if none of the flag bits are set, don't check
the individual flag bits.
2017-09-13 12:25:44 +01:00
Guy Harris
5edf405d7e CVE-2017-13008/IEEE 802.11: Fix TIM bitmap copy to copy from p + offset.
offset has already been advanced to point to the bitmap; we shouldn't
add the amount to advance again.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by the reporter(s).

While we're at it, remove some redundant tests - we've already checked,
before the case statement, whether we have captured the entire
information element and whether the entire information element is
present in the on-the-wire packet; in the cases for particular IEs, we
only need to make sure we don't go past the end of the IE.
2017-09-13 12:25:44 +01:00
Guy Harris
ca336198e8 CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector.
The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
cc4a7391c6 CVE-2017-13006/L2TP: Check whether an AVP's content exceeds the AVP length.
It's not good enough to check whether all the data specified by the AVP
length was captured - you also have to check whether that length is
large enough for all the required data in the AVP.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
4e430c6b0d CVE-2017-12896/ISAKMP: Add another test.
This is from Brian Carpenter for the print-isakmp bug fix.
2017-09-13 12:25:44 +01:00
Guy Harris
f96003b21e CVE-2017-12899/DECnet: Add another test.
This is from Brian Carpenter for the print-decnet bug fix.
2017-09-13 12:25:44 +01:00
Francois-Xavier Le Bail
b45a9a167c CVE-2017-13005/NFS: Add two bounds checks before fetching data
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
35d146b7a6 CVE-2017-13004/Juniper: Add a capture file.
File from Kamil Frankowicz testing an existing fix.

(Same problem, and same fix, as the recent Juniper fixes.)
2017-09-13 12:25:44 +01:00
Guy Harris
42073d54c5 CVE-2017-13004/Juniper: Add a bounds check.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
a25211918f CVE-2017-13003/Clean up the LMP dissector.
Do a lot more bounds and length checks.

Add a EXTRACT_8BITS() macro, for completeness, and so as not to confuse
people into thinking that, to fetch a 1-byte value from a packet, they
need to use EXTRACT_16BITS() to fetch a 2-byte value and then use
shifting and masking to extract the desired byte.  Use that rather than
using EXTRACT_16BITS() to fetch a 2-byte value and then shifting and
masking to extract the desired byte.

Don't treat IPv4 addresses and unnumbered interface IDs the same; the
first should be printed as an IPv4 address but the latter should just be
printed as numbers.  Handle IPv6 addresses in more object types while
we're at it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
cbddb98484 CVE-2017-13002/AODV: Add some missing bounds checks.
In aodv_extension() do a bounds check on the extension header before we
look at it.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

While we're at it, add the RFC number, and check the validity of the
length for the Hello extension.
2017-09-13 12:25:44 +01:00
Guy Harris
7a923447fd CVE-2017-13001/NFS: Don't copy more data than is in the file handle.
Also, put the buffer on the stack; no reason to make it static.  (65
bytes isn't a lot.)

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
8512734883 CVE-2017-13000/IEEE 802.15.4: Fix bug introduced two fixes prior.
We've already advanced the pointer past the PAN ID, if present; it now
points to the address, so don't add 2 to it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
a7e5f58f40 CVE-2017-13000/IEEE 802.15.4: Fix bug introduced by previous fix.
We've already advanced the pointer past the PAN ID, if present; it now
points to the address, so don't add 2 to it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
9be4e0b593 CVE-2017-13000/IEEE 802.15.4: Add more bounds checks.
While we're at it, add a bunch of macros for the frame control field's
subfields, have the reserved frame types show the frame type value, use
the same code path for processing source and destination addresses
regardless of whether -v was specified (just leave out the addresses in
non-verbose mode), and return the header length in all cases.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
c7c515ee03 CVE-2017-13725/IPv6 R.H.: Add a capture file.
This is from Kamil Frankowicz testing an existing fix.

This is a test for the print-rt6.c fix I made after inspecting the code.
2017-09-13 12:25:44 +01:00
Guy Harris
6fca58f5f9 CVE-2017-12996/PIMv2: Make sure PIM TLVs have the right length.
We do bounds checks based on the TLV length, so if the TLV's length is
too short, and we don't check for that, we could end up fetching data
past the end of the TLV - including past the length of the captured data
in the packet.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
34cec721d3 CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.
If you have a

	for (i = 0; i < N; i++)

loop, you'd better make sure that i is big enough to hold N - not N-1,
N.

The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop
counter will overflow and you can loop infinitely.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).

Clean up the output a bit while we're at it.
2017-09-13 12:25:44 +01:00
Guy Harris
979dcefd7b CVE-2017-12998/IS-IS: Check for 2 bytes if we're going to fetch 2 bytes.
Probably a copy-and-pasteo.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
3b32029db3 CVE-2017-12999/IS-IS: Add a missing length check.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
777edc563a Further fix the fix to CVE-2017-5485.
1) Take the length of the NSAP into account.  Otherwise, if, in our
search of the hash table, we come across a byte string that's shorter
than the string we're looking for, we'll search past the end of the
string in the hash table.

2) The first byte of the byte string in the table is the length of the
NSAP, with the byte *after* that being the first byte of the NSAP, but
the first byte of the byte string passed into lookup_nsap() is the first
byte of the NSAP, with the length passed in as a separate argument.  Do
the comparison correctly.

This fixes a vulnerability discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

While we're at it, clean up the fix to lookup_bytestring():

1) Get rid of an unused structure member and an unused #define.

2) Get rid of an incorrect "+ 1" when calculating the size of the byte
array to allocate - that was left over from the NSAP table, where the
length was guaranteed to fit in 1 byte and we used the first byte of the
array to hold the length of the rest of the array.
2017-09-13 12:25:44 +01:00
Guy Harris
3a76fd7c95 CVE-2017-12995/Check for DNS compression pointers that don't point backwards.
This is what BIND 9.11.0-P2 does; it not only detects pointers that
loop, as "point backwards" means "point before anything we've processed
so far, including what we're processing right now", so the pointer can't
point to itself (as that's what we're processing right now).

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).

Also, add some infinite-pointer-loop captures.

More checks should be done.  We might, for example, want to make sure
the upper 2 bits of the label length/pointer byte are 00 or 11, and that
if we encounter a pointer and jump backwards to what we think is a label
the label ends before the beginning of the last label we processed, to
make sure the pointer doesn't point backwards into the *middle* of a
label, and also make sure the entire name is <= 255 bytes long.
2017-09-13 12:25:44 +01:00
Guy Harris
866c60236c CVE-2017-13687/CHDLC: Add a test.
This is for the fix made a few commits before, which had no tests.

Add a test using the capture file supplied by Kamil Frankowicz.
2017-09-13 12:25:44 +01:00
Denis Ovsienko
d6ba8dc548 Split bgp-aigp-oobr into two custom tests too.
For the same reason as for bgp-as-path-oobr (TCP-MD5).
2017-09-13 12:25:44 +01:00
Guy Harris
ffde45acf3 CVE-2017-12994/BGP: Move a test inside a loop.
The loop can be executed more than once (that's kinda the whole point of
a loop), so the check has to be made each time through the loop, not
just once before the loop is executed.

Do some additional length checks while we're at it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
6ec0c6fa63 CVE-2017-12902/Zephyr: Add an additional test.
File from Kamil Frankowicz.
2017-09-13 12:25:44 +01:00
Guy Harris
b534e30456 CVE-2017-12993/Juniper: Add more bounds checks.
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Denis Ovsienko
d3aae71930 Split bgp-as-path-oobr into two custom tests.
tcpdump printout for TCP-MD5 is different depending on whether it was
compiled with or without the crypto support. This means a standard test
with TCP-MD5 will always fail at least one of the cases (with and
without). Replace the standard test with two custom tests and run that
test that should pass but skip the other.
2017-09-13 12:25:44 +01:00
Guy Harris
e942fb84fb CVE-2017-12992/RIPng: Clean up bounds checking.
Do bounds checking as we access items.

Scan the list of netinfo6 entries based on the supplied packet length,
without taking the captured length into account; let the aforementioned
bounds checking handle that.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
db24063b01 CVE-2017-12989/RESP: Make sure resp_get_length() advances the pointer for invalid lengths.
Make sure that it always sends *endp before returning and that, for
invalid lengths where we don't like a character in the length string,
what it sets *endp to is past the character in question, so we don't
run the risk of infinitely looping (or doing something else random) if a
character in the length is invalid.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
2ecb9d2c67 CVE-2017-12987/Another test for the TIM IE bug, from Kamil Frankowicz. 2017-09-13 12:25:44 +01:00
Guy Harris
8934a7d630 CVE-2017-12988/TELNET: Add a missing bounds check.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
c2ef693866 CVE-2017-12990/Fix printing of ISAKMPv1 Notification payload data.
The closest thing to a specification for the contents of the payload
data is draft-ietf-ipsec-notifymsg-04, and nothing in there says that it
is ever a complete ISAKMP message, so don't dissect types we don't have
specific code for as a complete ISAKMP message.

While we're at it, fix a comment, and clean up printing of V1 Nonce,
V2 Authentication payloads, and v2 Notice payloads.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
50a44b6b8e CVE-2017-12991/BGP: Add missing bounds check.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
99798bd9a4 CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE.
The arguments to memcpy() were completely wrong.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by Brian 'geeknik' Carpenter.
2017-09-13 12:25:44 +01:00
Guy Harris
d17507ffa3 CVE-2017-12902/Zephyr: Fix bounds checking.
Use ND_TTEST() rather than comparing against ndo->ndo_snapend ourselves;
it's easy to get the tests wrong.

Check for running out of packet data before checking for running out of
captured data, and distinguish between running out of packet data (which
might just mean "no more strings") and running out of captured data
(which means "truncated").

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
de981e6070 CVE-2017-12901/EIGRP: Do more length checks.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
7ac73d6cd4 CVE-2017-12986/IPv6 R.H.: Update to reflect the actual IPv6 RFC.
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
66df248b49 CVE-2017-12985/IPv6: Check for print routines returning -1 when running past the end.
rt6_print(), ah_print(), and esp_print() return -1 if they run up
against the end of the packet while dissecting; if that happens, stop
dissecting, don't try to fetch the next header value, because 1) *it*
might be past the end of the packet and 2) we won't be using it in any
case, as we'll be exiting the loop.

Also, change mobility_print() to return -1 if it runs up against the
end of the packet, and stop dissecting if it does so.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
0318fa8b61 CVE-2017-12900/Properly terminate all struct tok arrays.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
2b62d1dda4 CVE-2017-12895/ICMP: Check the availability of data before checksumming it.
This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
730fc35968 CVE-2017-12894/In lookup_bytestring(), take the length of the byte string into account.
Otherwise, if, in our search of the hash table, we come across a byte
string that's shorter than the string we're looking for, we'll search
past the end of the string in the hash table.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
6f5ba2b651 CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len().
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
c6e0531b5d CVE-2017-12899/DECnet: Fix bounds checking.
If we're skipping over padding before the *real* flags, check whether
the real flags are in the captured data before fetching it.  This fixes
a buffer over-read discovered by Kamil Frankowicz.

Note one place where we don't need to do bounds checking as it's already
been done.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
19d25dd878 CVE-2017-12898/NFS: Fix bounds checking.
Fix the bounds checking for the NFSv3 WRITE procedure to check whether the
length of the opaque data being written is present in the captured data,
not just whether the byte count is present in the captured data.
furthest forward in the packet, not the item before it.  (This also lets
us eliminate the check for the "stable" argument being present in the
captured data; rewrite the code to print that to make it a bit clearer.)

Check that the entire ar_stat field is present in the capture.

Note that parse_wcc_attr() is called after we've already checked whether
the wcc_data is present.

Check before fetching the "access" part of the NFSv3 ACCESS results.
This fixes a buffer over-read discovered by Kamil Frankowicz.

Include a test for the "check before fetching the "access" part..." fix,
using the capture supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
1dcd10acea CVE-2017-12897/ISO CLNS: Use ND_TTEST() for the bounds checks in isoclns_print().
This fixes a buffer over-read discovered by Kamil Frankowicz.

Don't pass the remaining caplen - that's too hard to get right, and we
were getting it wrong in at least one case; just use ND_TTEST().

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
f76e7feb41 CVE-2017-12896/ISAKMP: Do bounds checks in isakmp_rfc3948_print().
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-13 12:25:44 +01:00
Guy Harris
7039327875 CVE-2017-11543/Make sure the SLIP direction octet is valid.
Report if it's not, and don't use it as an out-of-bounds index into an
array.

This fixes a buffer overflow discovered by Wilfried Kirsch.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.
2017-09-02 21:36:44 +01:00
Guy Harris
21d702a136 CVE-2017-11541: In safeputs(), check the length before checking for a NUL terminator.
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data.  This means we should check that we're within the
specified limit before looking at the byte.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-02 21:36:44 +01:00
Guy Harris
bed48062a6 CVE-2017-11542/PIMv1: Add a bounds check.
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
2017-09-02 21:36:44 +01:00
Guy Harris
d9e65de3d9 CVE-2017-11108/Fix bounds checking for STP.
Check whether the flags are in the captured data before printing them in
an MSTP BPDU.

Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.

Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.
2017-07-22 23:57:42 +01:00
Guy Harris
27634837cc Force -t on in TESTonce.
These tests may be performed in an arbitrary time zone, so they *must*
run tcpdump with an option to print the time in a time-zone-independent
fashion.  Force -t on in TESTonce, just as we do for -n, and remove it
from TESTLIST and the conditional test scripts.
2017-07-01 23:17:02 +01:00
Job Snijders
edf4c90c34 Add support to decode a BGP Shutdown Communication
The draft-ietf-idr-shutdown-07 document specifies a mechanism to
transmit a short free form UTF-8 [RFC3629] message as part of a Cease
NOTIFICATION message [RFC4486] to inform the peer why the BGP session is
being shutdown or reset.

Hat tip to Peter van Dijk <peter.van.dijk@powerdns.com>
2017-04-17 14:46:38 +02:00
Steven H. Wang
99f6d01b24 add NSH ethertype
https://tools.ietf.org/html/draft-ietf-sfc-nsh-12#section-12.1
2017-04-02 09:08:17 +01:00
Francois-Xavier Le Bail
12d939c3e9 The option -n is useless in TESTLIST
This option is already set in TESTonce.
2017-01-18 09:16:42 +01:00
Denis Ovsienko
77b9208db0 CVE-2017-5205/add a test case
The .pcap file comes from Francois-Xavier Le Bail.
2017-01-18 09:16:42 +01:00
Denis Ovsienko
f152c1268f CVE-2017-5485/add the test case 2017-01-18 09:16:42 +01:00
Denis Ovsienko
d07f724227 CVE-2017-5486/add the test case 2017-01-18 09:16:42 +01:00
Denis Ovsienko
5d214e36ee CVE-2017-5484/ATM: fix an incorrect bounds check
The function sig_print() did receive a correct caplen parameter value
but didn't use it correctly and could overread by one byte as Brian
Carpenter has demonstrated. Fix it by switching to the standard macros.
2017-01-18 09:16:42 +01:00
Denis Ovsienko
eec1624f7b CVE-2017-5483/SNMP: improve ASN.1 bounds checks
Kamil Frankowicz had found that truncated BE_STR and BE_SEQ ASN.1
elements could lead to an overread, from the source code it looked like
other ids could have this problem too. Move the checks introduced in
commit 72e501f out of the switch blocks to cover all ids by default.
This fixes GH#559 and GH#566.
2017-01-18 09:16:41 +01:00
Denis Ovsienko
c39c1d99ac CVE-2017-5482/Q.933: add a missing bounds check
Brian Carpenter had found that regardless of CVE-2016-8575 q933_print()
still could overread the buffer trying to parse a short packet. This
change fixes the problem.
2017-01-18 09:16:41 +01:00
Denis Ovsienko
0db4dcafe5 CVE-2017-5342/pass correct caplen value to ether_print()
In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.

gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.

Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.
2017-01-18 09:16:41 +01:00
Denis Ovsienko
409ffe9452 CVE-2017-5341/OTV: add missing bounds checks
Interleave the bounds checking with printing to make it visible which
last protocol field was OK. This fixes a vulnerability discovered by
Brian Carpenter.
2017-01-18 09:16:41 +01:00
Denis Ovsienko
d6913f7e3f CVE-2017-5204/IPv6: fix header printing
Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.

Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
2017-01-18 09:16:41 +01:00
Denis Ovsienko
6b09339831 TCP: add a test case for the previous commit
The SCPS TCP option is malformed as discussed in GitHub issue #516 and
is printed as such. The .pcap file was contributed by Patrik Lundquist.
2017-01-18 09:16:41 +01:00
Francois-Xavier Le Bail
c37100fd4c Add a test file for a previous fix
Fix was: "Don't overflow the Opaque_Handle buffer."
2017-01-18 09:16:40 +01:00
Guy Harris
ce9bc5af51 Tests for Frame Relay problems.
The problems were found by Hanno Böck with American Fuzzy Lop.
2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
81c7798d00 ISOCLNS: Manage a test as GCC-specific 2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
266489c6c9 Add a test file for a previous fix
Fix was: "OSPF: Fix a segmentation fault"
(commit 046f10da38)
2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
b3c215000f Add a test file for a previous fix
Fix was: "UDLD: Fix an infinite loop"
(commit 9759a5bc71)
2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
cb922d07cc CVE-2016-7934,7935,7937/RTP: Fix two segmentation faults
Add two test files for these fixes.
Add more bounds checks in VAT, RTP and RTCP printers.

Moreover:
Add and use *_tstr[] strings.
Update the output of a test accordingly.
Remove spaces before tabs.
2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
8343c39e2f Add a test file for the previous fix 2017-01-18 09:16:39 +01:00
Francois-Xavier Le Bail
5cb03afb57 STP: Filter out non-printable characters
Use fn_printzp().

Moreover:
Add a missing comma in output.
Use ND_TCHECK_32BITS instead of ND_TTEST_32BITS.
Add a test for spb_bpduv4.pcap with verbose output.
2017-01-18 09:16:38 +01:00
Francois-Xavier Le Bail
51557701bf Add a test file for a previous fix
Fix was: "ISOCLNS: Fix a segmentation fault"
(commit be8e9c9dea)
2017-01-18 09:16:38 +01:00
Francois-Xavier Le Bail
54c0c24b22 Add test files for a previous fix
Fix was: "ISOCLNS: Fix two segmentation faults"
(commit 8db57a4b90)

Moreover:
group together IS-IS tests.
Fix typos.
2017-01-18 09:16:38 +01:00
Francois-Xavier Le Bail
3fea8eb0be Add test file for a previous fix
Fix was: "RSVP: Fix an infinite loop"
(commit d7d269e8c6)
2017-01-18 09:16:38 +01:00
Guy Harris
07a361befe Tests for the relts changes. 2017-01-18 09:16:38 +01:00
Guy Harris
7bf069c251 CVE-2016-7983,7984/Don't use strchr() to scan packet data.
It can't be told to stop at the end of the packet data.  Add a
fn_printztn() that prints null-terminated strings, with a length check,
and which returns the number of bytes processed, or 0 if we ran out of
data.  That means it does the scanning we need, but safely.

Use it in the TFTP and BOOTP printers.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:37 +01:00
Guy Harris
5e48a55754 CVE-2016-7929/Make sure a Juniper header TLV isn't bigger than what's left in the packet.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:37 +01:00
Guy Harris
64f6392084 CVE-2016-7923/Don't assume the target hardware address is <= 6 octets long.
It might not be, either because an unusual hardware type is using ARP or
because a maliciously-constructed packet was sent.  Instead of comparing
against a 6-octet string of zeros with memcmp(), check each octet of the
address against 0.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:37 +01:00
Guy Harris
968776fbf5 CVE-2016-7940/Add a bunch of bounds checks, and fix some printing.
The bounds checks fix some heap overflows found with American Fuzzy Lop
by Hanno Böck.

Add some ND_TTEST_/ND_TCHECK_ macros to extract.h to simplify writing
bounds checks for code that uses the other macros in that file.

Fix the printing of the SPB BPDU agreement digest - I don't think the
intent was to print the value of the first 4 bytes, that value + 4, that
value + 8, etc., I suspect it was to print the first 4 bytes, the next 4
bytes, etc..
2017-01-18 09:16:37 +01:00
Guy Harris
e8a7716282 CVE-2016-7974/Don't try to dissect something with other than 4 as the IP version.
Bad Things could happen, e.g. the dissector we call thinking it's been
handed an IPv6 header when we haven't handed it anything that large.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

Update some .out files to correspond to that change.
2017-01-18 09:16:37 +01:00
Guy Harris
69ead2a09c CVE-2016-7931/Add bounds and length checks.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
b56aab3862 CVE-2016-7973/Add bounds and length checks.
Fixes heap overflows found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
cb696b8e91 CVE-2016-7936/Add a bounds check.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
9845aa1860 CVE-2016-7930/Add a bounds check.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
a36c495ef4 CVE-2016-7928/Check whether we have the CPI before we fetch it.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
ec88d36bcd CVE-2016-7975/Make sure we have the data offset field before fetching it.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
d9dbb118f2 CVE-2016-7924/Add some bounds checks.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

Also, get rid of the return value for oam_print(), as it's not used and
not useful.
2017-01-18 09:16:36 +01:00
Guy Harris
6b8ed9649e CVE-2016-7975/Fix another bounds check.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
8be5413f3a CVE-2016-7926/Do some additional bounds checking before calling isoclns_print().
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
da946bdc6c CVE-2016-7927/Do bounds checking on last_presentp before dereferencing it.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
6bc44295cf CVE-2016-7985,7986/Change the way protocols print link-layer addresses.
If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.

Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.

Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
237efcf593 CVE-2016-7939/Add some bounds checks.
Fixes heap overflows found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:36 +01:00
Guy Harris
3e00e6a4b8 CVE-2016-7975/Fix a bounds check.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
df259cada3 CVE-2016-7932/Add some bounds checking.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
3998839886 CVE-2016-7974/Add an additional bounds check.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
c4744fc29a CVE-2016-7925/Add more bounds checks.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
f6ae2501fe CVE-2016-7933/Add some bounds checks.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
b3d1e972e0 Another test for the print-atalk.c fix. 2017-01-18 09:16:35 +01:00
Guy Harris
5356a9ea69 CVE-2016-7973/Add some bounds checks.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Guy Harris
4ef024c8e9 CVE-2016-7992/When comparing against an LLC+SNAP header, check only the bytes we have.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

Fix a length value to be unsigned while we're at it.
2017-01-18 09:16:35 +01:00
Guy Harris
98f666f243 CVE-2016-7974/Check before fetching the IP protocol version.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
2017-01-18 09:16:35 +01:00
Denis Ovsienko
b39c831bf2 Revert "TCP: add a test case for the previous commit"
This reverts commit cfb06c27a2.
2017-01-18 09:16:35 +01:00
Eliot Lear
01e8e1485f Implement IANA OUI and LLDP MUD option
The changes associated with this commit introduce the IANA subtree
for LLDP and its first element, the MUDURL, as documented in
draft-ietf-opsawg-mud.  This is similar to the changes made for
DHCP and DHCPv6.

[updated to use fn_printn]
2016-12-31 08:17:55 +01:00
Eliot Lear
38fce5474f Updated to include dhcp-mud tests. 2016-12-08 15:00:03 +01:00
Denis Ovsienko
cfb06c27a2 TCP: add a test case for the previous commit
The SCPS TCP option is malformed as discussed in GitHub issue #516 and
is printed as such. The .pcap file was contributed by Patrik Lundquist.
2016-11-01 15:16:11 +00:00
Michael Haardt
d08a095df2 add a test case for the previous commit 2016-10-16 21:45:22 +01:00
Francois-Xavier Le Bail
151c0cb295 Add a test file for BGP LARGE_COMMUNITY Path Attribute 2016-10-13 11:26:47 +02:00