CVE-2017-12998/IS-IS: Check for 2 bytes if we're going to fetch 2 bytes.

Probably a copy-and-pasteo. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · 979dcef · 979dcef
1 parent 3b32029
commit 979dcef
Show file tree

Hide file tree

Showing 4 changed files with 10,896 additions and 1 deletion.
diff --git a/print-isoclns.c b/print-isoclns.c
@@ -2038,7 +2038,7 @@ isis_print_extd_ip_reach(netdissect_options *ndo,
         }
         processed++;
     } else if (afi == AF_INET6) {
-        if (!ND_TTEST2(*tptr, 1)) /* fetch status & prefix_len byte */
+        if (!ND_TTEST2(*tptr, 2)) /* fetch status & prefix_len byte */
             return (0);
         status_byte=*(tptr++);
         bit_length=*(tptr++);

diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -478,6 +478,7 @@ resp_4_infiniteloop	resp_4_infiniteloop.pcap	resp_4_infiniteloop.out	-vvv -e
 dns_fwdptr		dns_fwdptr.pcap			dns_fwdptr.out		-vvv -e
 isis-areaaddr-oobr-1	isis-areaaddr-oobr-1.pcap	isis-areaaddr-oobr-1.out		-vvv -e
 isis-areaaddr-oobr-2	isis-areaaddr-oobr-2.pcap	isis-areaaddr-oobr-2.out		-vvv -e
+isis-extd-ipreach-oobr	isis-extd-ipreach-oobr.pcap	isis-extd-ipreach-oobr.out		-vvv -e
 
 # RTP tests
 # fuzzed pcap