CVE-2017-13003/Clean up the LMP dissector.

Do a lot more bounds and length checks. Add a EXTRACT_8BITS() macro, for completeness, and so as not to confuse people into thinking that, to fetch a 1-byte value from a packet, they need to use EXTRACT_16BITS() to fetch a 2-byte value and then use shifting and masking to extract the desired byte. Use that rather than using EXTRACT_16BITS() to fetch a 2-byte value and then shifting and masking to extract the desired byte. Don't treat IPv4 addresses and unnumbered interface IDs the same; the first should be printed as an IPv4 address but the latter should just be printed as numbers. Handle IPv6 addresses in more object types while we're at it. This fixes a buffer over-read discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s).
the-tcpdump-group · Sep 13, 2017 · a252119 · a252119
1 parent cbddb98
commit a252119
Show file tree

Hide file tree

Showing 5 changed files with 400 additions and 83 deletions.
diff --git a/extract.h b/extract.h
@@ -19,6 +19,13 @@
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
+/*
+ * For 8-bit values; provided for the sake of completeness.  Byte order
+ * isn't relevant, and alignment isn't an issue.
+ */
+#define EXTRACT_8BITS(p)	(*(p))
+#define EXTRACT_LE_8BITS(p)	(*(p))
+
 /*
  * Inline functions or macros to extract possibly-unaligned big-endian
  * integral values.
@@ -226,7 +233,6 @@ EXTRACT_64BITS(const void *p)
  * Macros to extract possibly-unaligned little-endian integral values.
  * XXX - do loads on little-endian machines that support unaligned loads?
  */
-#define EXTRACT_LE_8BITS(p) (*(p))
 #define EXTRACT_LE_16BITS(p) \
 	((uint16_t)(((uint16_t)(*((const uint8_t *)(p) + 1)) << 8) | \
 	            ((uint16_t)(*((const uint8_t *)(p) + 0)) << 0)))