CVE-2017-13003/Clean up the LMP dissector.

Do a lot more bounds and length checks.

Add a EXTRACT_8BITS() macro, for completeness, and so as not to confuse
people into thinking that, to fetch a 1-byte value from a packet, they
need to use EXTRACT_16BITS() to fetch a 2-byte value and then use
shifting and masking to extract the desired byte.  Use that rather than
using EXTRACT_16BITS() to fetch a 2-byte value and then shifting and
masking to extract the desired byte.

Don't treat IPv4 addresses and unnumbered interface IDs the same; the
first should be printed as an IPv4 address but the latter should just be
printed as numbers.  Handle IPv6 addresses in more object types while
we're at it.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).

1 files changed, 7 insertions, 1 deletions

diff --git a/extract.h b/extract.h
index 2ea4ca80..04367546 100644
--- a/extract.h
+++ b/extract.h
@@ -20,6 +20,13 @@
  */
 
 /*
+ * For 8-bit values; provided for the sake of completeness.  Byte order
+ * isn't relevant, and alignment isn't an issue.
+ */
+#define EXTRACT_8BITS(p)	(*(p))
+#define EXTRACT_LE_8BITS(p)	(*(p))
+
+/*
  * Inline functions or macros to extract possibly-unaligned big-endian
  * integral values.
  */
@@ -226,7 +233,6 @@ EXTRACT_64BITS(const void *p)
  * Macros to extract possibly-unaligned little-endian integral values.
  * XXX - do loads on little-endian machines that support unaligned loads?
  */
-#define EXTRACT_LE_8BITS(p) (*(p))
 #define EXTRACT_LE_16BITS(p) \
 	((uint16_t)(((uint16_t)(*((const uint8_t *)(p) + 1)) << 8) | \
 	            ((uint16_t)(*((const uint8_t *)(p) + 0)) << 0)))