CVE-2017-12988/TELNET: Add a missing bounds check.

This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · 8934a7d · 8934a7d
1 parent c2ef693
commit 8934a7d
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/print-telnet.c b/print-telnet.c
@@ -442,6 +442,7 @@ telnet_parse(netdissect_options *ndo, const u_char *sp, u_int length, int print)
 				break;
 			p++;
 		}
+		ND_TCHECK(*p);
 		if (*p != IAC)
 			goto pktend;
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -466,6 +466,7 @@ eigrp-tlv-oobr		eigrp-tlv-oobr.pcap		eigrp-tlv-oobr.out	-vvv -e
 zephyr-oobr		zephyr-oobr.pcap		zephyr-oobr.out		-vvv -e
 bgp-as-path-oobr	bgp-as-path-oobr.pcap		bgp-as-path-oobr.out	-vvv -e
 isakmp-no-none-np	isakmp-no-none-np.pcap		isakmp-no-none-np.out	-vvv -e
+telnet-iac-check-oobr	telnet-iac-check-oobr.pcap	telnet-iac-check-oobr.out	-vvv -e
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/telnet-iac-check-oobr.out b/tests/telnet-iac-check-oobr.out
diff --git a/tests/telnet-iac-check-oobr.pcap b/tests/telnet-iac-check-oobr.pcap