CVE-2017-13046/BGP: fix an existing bounds check for PMSI Tunnel

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-bgp.c

@@ -2123,11 +2123,11 @@ bgp_attr_print(netdissect_options *ndo,
         {
                 uint8_t tunnel_type, flags;
 
+                ND_TCHECK2(tptr[0], 5);
                 tunnel_type = *(tptr+1);
                 flags = *tptr;
                 tlen = len;
 
-                ND_TCHECK2(tptr[0], 5);
                 ND_PRINT((ndo, "\n\t    Tunnel-type %s (%u), Flags [%s], MPLS Label %u",
                        tok2str(bgp_pmsi_tunnel_values, "Unknown", tunnel_type),
                        tunnel_type,

tests/TESTLIST

@@ -563,6 +563,7 @@ hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 # Same comments apply to the case below.
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1
 vqp-oobr		vqp-oobr.pcap			vqp-oobr.out		-v -c1
+bgp_pmsi_tunnel-oobr	bgp_pmsi_tunnel-oobr.pcap	bgp_pmsi_tunnel-oobr.out -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr		mlppp-oobr.pcap			mlppp-oobr.out

tests/bgp_pmsi_tunnel-oobr.out

@@ -0,0 +1,11 @@
+IP (tos 0x0, ttl 254, id 40207, offset 0, flags [+, DF, rsvd], proto TCP (6), length 296, bad cksum 8e15 (->3eaa)!)
+    241.0.32.19.179 > 239.0.0.1.0: Flags [none], seq 2146695561:2146695813, win 56026, options [unknown-161,eol], length 252: BGP
+	Update Message (2), length: 45
+	  Withdrawn routes: 3 bytes
+	  Attribute Set (128), length: 7, Flags [OTPE+f]: 
+	    Origin AS: 4067
+	      Origin (1), length: 1EGP
+	      Unknown Attribute (19), length: 1, Flags [+1]: 
+	    no Attribute 19 decoder
+	    0x0000:  01
+	      PMSI Tunnel (22), length: 1, Flags [+1]: [|BGP]