CVE-2017-13017/DHCPv6: Add a missing option length check.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
author: Guy Harris <guy@alum.mit.edu> 2017-03-21 19:40:51 -0700
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 11b426ee05eb62ed103218526f1fa616851c43ce (patch)
tree: efd518f59d270ff2a9e09874a1915243fe63ce53 /print-dhcp6.c
parent: c177cb3800a9a68d79b2812f0ffcb9479abd6eb8 (diff)
download: tcpdump-11b426ee05eb62ed103218526f1fa616851c43ce.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/print-dhcp6.c b/print-dhcp6.c
index 762d9187..cbb6d84a 100644
--- a/print-dhcp6.c
+++ b/print-dhcp6.c
@@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo,
 			ND_PRINT((ndo, "...)"));
 			break;
 		case DH6OPT_RECONF_MSG:
+			if (optlen != 1) {
+				ND_PRINT((ndo, " ?)"));
+				break;
+			}
 			tp = (const u_char *)(dh6o + 1);
 			switch (*tp) {
 			case DH6_RENEW:
author	Guy Harris <guy@alum.mit.edu>	2017-03-21 19:40:51 -0700
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	11b426ee05eb62ed103218526f1fa616851c43ce (patch)
tree	efd518f59d270ff2a9e09874a1915243fe63ce53 /print-dhcp6.c
parent	c177cb3800a9a68d79b2812f0ffcb9479abd6eb8 (diff)
download	tcpdump-11b426ee05eb62ed103218526f1fa616851c43ce.tar.gz