Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2017-13687/CHDLC: Improve bounds and length checks.
Prevent a possible buffer overread in chdlc_print() and replace the
custom check in chdlc_if_print() with a standard check in chdlc_print()
so that the latter certainly does not over-read even when reached via
juniper_chdlc_print(). Add length checks.
  • Loading branch information
infrastation committed Sep 13, 2017
1 parent 071190f commit a1eefe9
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions print-chdlc.c
Expand Up @@ -46,21 +46,18 @@ static const struct tok chdlc_cast_values[] = {
u_int
chdlc_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, register const u_char *p)
{
register u_int length = h->len;
register u_int caplen = h->caplen;

if (caplen < CHDLC_HDRLEN) {
ND_PRINT((ndo, "[|chdlc]"));
return (caplen);
}
return (chdlc_print(ndo, p,length));
return chdlc_print(ndo, p, h->len);
}

u_int
chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
{
u_int proto;
const u_char *bp = p;

if (length < CHDLC_HDRLEN)
goto trunc;
ND_TCHECK2(*p, CHDLC_HDRLEN);
proto = EXTRACT_16BITS(&p[2]);
if (ndo->ndo_eflag) {
ND_PRINT((ndo, "%s, ethertype %s (0x%04x), length %u: ",
Expand Down Expand Up @@ -94,6 +91,9 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
break;
case ETHERTYPE_ISO:
/* is the fudge byte set ? lets verify by spotting ISO headers */
if (length < 2)
goto trunc;
ND_TCHECK_16BITS(p);
if (*(p+1) == 0x81 ||
*(p+1) == 0x82 ||
*(p+1) == 0x83)
Expand All @@ -108,6 +108,10 @@ chdlc_print(netdissect_options *ndo, register const u_char *p, u_int length)
}

return (CHDLC_HDRLEN);

trunc:
ND_PRINT((ndo, "[|chdlc]"));
return ndo->ndo_snapend - bp;
}

/*
Expand Down

0 comments on commit a1eefe9

Please sign in to comment.