CVE-2017-12993/Juniper: Add more bounds checks.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add tests using the capture files supplied by the reporter(s).

print-juniper.c

@@ -472,6 +472,7 @@ juniper_ggsn_print(netdissect_options *ndo,
         p+=l2info.header_len;
         gh = (struct juniper_ggsn_header *)&l2info.cookie;
 
+        ND_TCHECK(*gh);
         if (ndo->ndo_eflag) {
             ND_PRINT((ndo, "proto %s (%u), vlan %u: ",
                    tok2str(juniper_protocol_values,"Unknown",gh->proto),
@@ -492,6 +493,10 @@ juniper_ggsn_print(netdissect_options *ndo,
         }
 
         return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_services]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -519,6 +524,7 @@ juniper_es_print(netdissect_options *ndo,
         p+=l2info.header_len;
         ih = (const struct juniper_ipsec_header *)p;
 
+        ND_TCHECK(*ih);
         switch (ih->type) {
         case JUNIPER_IPSEC_O_ESP_ENCRYPT_ESP_AUTHEN_TYPE:
         case JUNIPER_IPSEC_O_ESP_ENCRYPT_AH_AUTHEN_TYPE:
@@ -564,6 +570,10 @@ juniper_es_print(netdissect_options *ndo,
 
         ip_print(ndo, p, l2info.length);
         return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_services]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -588,6 +598,7 @@ juniper_monitor_print(netdissect_options *ndo,
         p+=l2info.header_len;
         mh = (const struct juniper_monitor_header *)p;
 
+        ND_TCHECK(*mh);
         if (ndo->ndo_eflag)
             ND_PRINT((ndo, "service-id %u, iif %u, pkt-type %u: ",
                    EXTRACT_32BITS(&mh->service_id),
@@ -598,6 +609,10 @@ juniper_monitor_print(netdissect_options *ndo,
         ip_heuristic_guess (ndo, p, l2info.length);
 
         return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_services]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -622,6 +637,7 @@ juniper_services_print(netdissect_options *ndo,
         p+=l2info.header_len;
         sh = (const struct juniper_services_header *)p;
 
+        ND_TCHECK(*sh);
         if (ndo->ndo_eflag)
             ND_PRINT((ndo, "service-id %u flags 0x%02x service-set-id 0x%04x iif %u: ",
                    sh->svc_id,
@@ -633,6 +649,10 @@ juniper_services_print(netdissect_options *ndo,
         ip_heuristic_guess (ndo, p, l2info.length);
 
         return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_services]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -740,6 +760,7 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
 
         p+=l2info.header_len;
 
+        ND_TCHECK2(p[0], 2);
         extracted_ethertype = EXTRACT_16BITS(p);
         /* this DLT contains nothing but raw PPPoE frames,
          * prepended with a type field*/
@@ -752,6 +773,10 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
             ND_PRINT((ndo, "unknown ethertype 0x%04x", extracted_ethertype));
 
         return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_pppoe_atm]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -940,6 +965,7 @@ juniper_atm1_print(netdissect_options *ndo,
             return l2info.header_len;
         }
 
+        ND_TCHECK2(p[0], 3);
         if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
             EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
 
@@ -958,6 +984,10 @@ juniper_atm1_print(netdissect_options *ndo,
             return l2info.header_len;
 
 	return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_atm1]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -989,6 +1019,7 @@ juniper_atm2_print(netdissect_options *ndo,
             return l2info.header_len;
         }
 
+        ND_TCHECK2(p[0], 3);
         if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
             EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
 
@@ -1016,6 +1047,10 @@ juniper_atm2_print(netdissect_options *ndo,
             return l2info.header_len;
 
 	return l2info.header_len;
+
+trunc:
+	ND_PRINT((ndo, "[|juniper_atm2]"));
+	return l2info.header_len;
 }
 #endif
 
@@ -1280,6 +1315,7 @@ juniper_parse_header(netdissect_options *ndo,
     l2info->caplen -= l2info->header_len;
 
     /* search through the cookie table and copy values matching for our PIC type */
+    ND_TCHECK(p[0]);
     while (lp->s != NULL) {
         if (lp->pictype == l2info->pictype) {
 
@@ -1360,6 +1396,7 @@ juniper_parse_header(netdissect_options *ndo,
     case DLT_JUNIPER_MLFR:
         switch (l2info->cookie_type) {
         case LS_COOKIE_ID:
+            ND_TCHECK2(p[0], 2);
             l2info->bundle = l2info->cookie[1];
             l2info->proto = EXTRACT_16BITS(p);
             l2info->header_len += 2;
@@ -1383,6 +1420,7 @@ juniper_parse_header(netdissect_options *ndo,
     case DLT_JUNIPER_MFR:
         switch (l2info->cookie_type) {
         case LS_COOKIE_ID:
+            ND_TCHECK2(p[0], 2);
             l2info->bundle = l2info->cookie[1];
             l2info->proto = EXTRACT_16BITS(p);
             l2info->header_len += 2;

tests/TESTLIST

@@ -451,6 +451,9 @@ nfs-attr-oobr		nfs-attr-oobr.pcap		nfs-attr-oobr.out
 decnet-oobr		decnet-oobr.pcap		decnet-oobr.out
 oobr_parse_elements	oobr_parse_elements.pcap	oobr_parse_elements.out
 hoobr_ripng_print	hoobr_ripng_print.pcap		hoobr_ripng_print.out
+hoobr_juniper		hoobr_juniper.pcap		hoobr_juniper.out
+hoobr_juniper2		hoobr_juniper2.pcap		hoobr_juniper2.out
+hoobr_juniper3		hoobr_juniper3.pcap		hoobr_juniper3.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction	slip-bad-direction.pcap		slip-bad-direction.out	-ve

tests/hoobr_juniper.out

@@ -0,0 +1 @@
+[|juniper_hdr], length 808464432

tests/hoobr_juniper2.out

@@ -0,0 +1 @@
+[|juniper_atm1]

tests/hoobr_juniper3.out

@@ -0,0 +1 @@
+Unknown Juniper DLT_ type 132: [|juniper_services]