(for 4.9.3) CVE-2018-14466/Rx: fix an over-read bug

In rx_cache_insert() and rx_cache_find() properly read the serviceId
field of the rx_header structure as a 16-bit integer. When those
functions tried to read 32 bits the extra 16 bits could be outside of
the bounds checked in rx_print() for the rx_header structure, as
serviceId is the last field in that structure.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-rx.c

@@ -694,7 +694,7 @@ rx_cache_insert(netdissect_options *ndo,
 	UNALIGNED_MEMCPY(&rxent->client, &ip->ip_src, sizeof(uint32_t));
 	UNALIGNED_MEMCPY(&rxent->server, &ip->ip_dst, sizeof(uint32_t));
 	rxent->dport = dport;
-	rxent->serviceId = EXTRACT_32BITS(&rxh->serviceId);
+	rxent->serviceId = EXTRACT_16BITS(&rxh->serviceId);
 	rxent->opcode = EXTRACT_32BITS(bp + sizeof(struct rx_header));
 }
 
@@ -725,7 +725,7 @@ rx_cache_find(const struct rx_header *rxh, const struct ip *ip, int sport,
 		if (rxent->callnum == EXTRACT_32BITS(&rxh->callNumber) &&
 		    rxent->client.s_addr == clip &&
 		    rxent->server.s_addr == sip &&
-		    rxent->serviceId == EXTRACT_32BITS(&rxh->serviceId) &&
+		    rxent->serviceId == EXTRACT_16BITS(&rxh->serviceId) &&
 		    rxent->dport == sport) {
 
 			/* We got a match! */

tests/TESTLIST

@@ -573,6 +573,7 @@ ikev1_id_ipv6_addr_subnet-oobr	ikev1_id_ipv6_addr_subnet-oobr.pcap	ikev1_id_ipv6
 isakmp-various-oobr	isakmp-various-oobr.pcap	isakmp-various-oobr.out	-v
 aoe-oobr-1		aoe-oobr-1.pcap			aoe-oobr-1.out	-v -c1
 frf16_magic_ie-oobr	frf16_magic_ie-oobr.pcap	frf16_magic_ie-oobr.out	-v -c1
+rx_serviceid_oobr	rx_serviceid_oobr.pcap		rx_serviceid_oobr.out -c3
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out

tests/rx_serviceid_oobr.out

@@ -0,0 +1,3 @@
+IP 250.15.128.19.68 > 249.251.157.8.63246: BOOTP/DHCP, unknown (0x00), length 8085
+[|ether]
+IP 0.0.0.0.0 > 0.0.0.0.7004:  rx abort (539)