Skip to content

Commit a1eefe9

Browse files
committed
CVE-2017-13687/CHDLC: Improve bounds and length checks.
Prevent a possible buffer overread in chdlc_print() and replace the custom check in chdlc_if_print() with a standard check in chdlc_print() so that the latter certainly does not over-read even when reached via juniper_chdlc_print(). Add length checks.
1 parent 071190f commit a1eefe9

File tree

1 file changed

+12
-8
lines changed

1 file changed

+12
-8
lines changed

Diff for: print-chdlc.c

+12-8
Original file line numberDiff line numberDiff line change
@@ -46,21 +46,18 @@ static const struct tok chdlc_cast_values[] = {
4646
u_int
4747
chdlc_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, register const u_char *p)
4848
{
49-
register u_int length = h->len;
50-
register u_int caplen = h->caplen;
51-
52-
if (caplen < CHDLC_HDRLEN) {
53-
ND_PRINT((ndo, "[|chdlc]"));
54-
return (caplen);
55-
}
56-
return (chdlc_print(ndo, p,length));
49+
return chdlc_print(ndo, p, h->len);
5750
}
5851

5952
u_int
6053
chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
6154
{
6255
u_int proto;
56+
const u_char *bp = p;
6357

58+
if (length < CHDLC_HDRLEN)
59+
goto trunc;
60+
ND_TCHECK2(*p, CHDLC_HDRLEN);
6461
proto = EXTRACT_16BITS(&p[2]);
6562
if (ndo->ndo_eflag) {
6663
ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ",
@@ -94,6 +91,9 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
9491
break;
9592
case ETHERTYPE_ISO:
9693
/* is the fudge byte set ? lets verify by spotting ISO headers */
94+
if (length < 2)
95+
goto trunc;
96+
ND_TCHECK_16BITS(p);
9797
if (*(p+1) == 0x81 ||
9898
*(p+1) == 0x82 ||
9999
*(p+1) == 0x83)
@@ -108,6 +108,10 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
108108
}
109109

110110
return (CHDLC_HDRLEN);
111+
112+
trunc:
113+
ND_PRINT((ndo, "[|chdlc]"));
114+
return ndo->ndo_snapend - bp;
111115
}
112116

113117
/*

0 commit comments

Comments
 (0)