ethernet{,_test}: fix slice bounds out of range panic found by go-fuz…

…z, add test with crasher
mdlayher · Jul 28, 2015 · da795f9 · da795f9
1 parent c03dde9
commit da795f9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/ethernet.go b/ethernet.go
@@ -142,8 +142,8 @@ func (f *Frame) UnmarshalBinary(b []byte) error {
 	// values are detected
 	et := EtherType(binary.BigEndian.Uint16(b[n-2 : n]))
 	for ; et == EtherTypeVLAN; n += 4 {
-		// 2 or more bytes must remain for valid VLAN tag
-		if len(b[n:]) < 2 {
+		// 4 or more bytes must remain for valid VLAN tag and EtherType
+		if len(b[n:]) < 4 {
 			return io.ErrUnexpectedEOF
 		}
 

diff --git a/ethernet_test.go b/ethernet_test.go
@@ -153,6 +153,7 @@ func TestFrameUnmarshalBinary(t *testing.T) {
 				0, 0, 0, 0, 0, 0,
 				0x81, 0x00,
 				0xff, 0xff,
+				0x00, 0x00,
 			},
 			err: ErrInvalidVLAN,
 		},
@@ -180,6 +181,11 @@ func TestFrameUnmarshalBinary(t *testing.T) {
 			}, bytes.Repeat([]byte{0}, 37)...),
 			err: io.ErrUnexpectedEOF,
 		},
+		{
+			desc: "go-fuzz crasher: VLAN tag without enough bytes for trailing EtherType",
+			b:    []byte("190734863281\x81\x0032"),
+			err:  io.ErrUnexpectedEOF,
+		},
 		{
 			desc: "0 VLANs detected, but 1 may have been present",
 			b:    bytes.Repeat([]byte{0}, 56),