CVE-2017-11541: In safeputs(), check the length before checking for a NUL terminator.

guyharris · infrastation · commit 21d702a136c5 · 2017-09-02T21:36:44.000+01:00
safeputs() doesn't do packet bounds checking of its own; it assumes that
the caller has checked the availability in the packet data of all maxlen
bytes of data.  This means we should check that we're within the
specified limit before looking at the byte.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).
diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -440,6 +440,7 @@ isoclns-heapoverflow-2	isoclns-heapoverflow-2.pcap	isoclns-heapoverflow-2.out	-e
 isoclns-heapoverflow-3	isoclns-heapoverflow-3.pcap	isoclns-heapoverflow-3.out	-e -c1
 stp-v4-length-sigsegv	stp-v4-length-sigsegv.pcap	stp-v4-length-sigsegv.out
 hoobr_pimv1		hoobr_pimv1.pcap		hoobr_pimv1.out
+hoobr_safeputs		hoobr_safeputs.pcap		hoobr_safeputs.out
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/hoobr_safeputs.out b/tests/hoobr_safeputs.out
@@ -0,0 +1,2 @@
+LLDP, length 808464418: 0000000000
+	[|LLDP]
diff --git a/tests/hoobr_safeputs.pcap b/tests/hoobr_safeputs.pcap
diff --git a/util-print.c b/util-print.c
@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,
 {
 	u_int idx = 0;
 
-	while (*s && idx < maxlen) {
+	while (idx < maxlen && *s) {
 		safeputchar(ndo, *s);
 		idx++;
 		s++;

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+LLDP, length 808464418: 0000000000`
	`2`	`+ [\|LLDP]`
Original file line number	Diff line number	Diff line change
`@@ -904,7 +904,7 @@ safeputs(netdissect_options *ndo,`
`904`	`904`	`{`
`905`	`905`	`u_int idx = 0;`
`906`	`906`
`907`		`- while (*s && idx < maxlen) {`
	`907`	`+ while (idx < maxlen && *s) {`
`908`	`908`	`safeputchar(ndo, *s);`
`909`	`909`	`idx++;`
`910`	`910`	`s++;`