CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector.

The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

4 files changed, 9 insertions, 1 deletions

diff --git a/print-pktap.c b/print-pktap.c
index 7144f3c6..4a295fdf 100644
--- a/print-pktap.c
+++ b/print-pktap.c
@@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
 	u_int length = h->len;
 	if_printer printer;
 	const pktap_header_t *hdr;
+	struct pcap_pkthdr nhdr;
 
 	if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
 		ND_PRINT((ndo, "[|pktap]"));
@@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,
 
 	case PKT_REC_PACKET:
 		if ((printer = lookup_printer(dlt)) != NULL) {
-			hdrlen += printer(ndo, h, p);
+			nhdr = *h;
+			nhdr.caplen = caplen;
+			nhdr.len = length;
+			hdrlen += printer(ndo, &nhdr, p);
 		} else {
 			if (!ndo->ndo_eflag)
 				pktap_header_print(ndo, (const u_char *)hdr,
diff --git a/tests/TESTLIST b/tests/TESTLIST
index f9ae40dd..5f18a057 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -502,6 +502,7 @@ juniper_es		juniper_es.pcap			juniper_es.out	-vvv -e
 
 # bad packets from Yannick Formaggio
 l2tp-avp-overflow	l2tp-avp-overflow.pcap		l2tp-avp-overflow.out	-v
+pktap-heap-overflow	pktap-heap-overflow.pcap	pktap-heap-overflow.out	-v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/pktap-heap-overflow.out b/tests/pktap-heap-overflow.out
new file mode 100644
index 00000000..e23ed919
--- /dev/null
+++ b/tests/pktap-heap-overflow.out
@@ -0,0 +1,3 @@
+[|pktap]
+[|ppp]
+EXIT CODE 00000100
diff --git a/tests/pktap-heap-overflow.pcap b/tests/pktap-heap-overflow.pcap
new file mode 100644
index 00000000..e8b0f216
--- /dev/null
+++ b/tests/pktap-heap-overflow.pcap