diff options
| author | Guy Harris <guy@alum.mit.edu> | 2017-02-13 11:11:42 -0800 |
|---|---|---|
| committer | Denis Ovsienko <denis@ovsienko.info> | 2017-09-13 12:25:44 +0100 |
| commit | 34cec721d39c76be1e0a600829a7b17bdfb832b6 (patch) | |
| tree | 5c331b78a4674ebac62d19eda6f8ef163274a3a4 /print-lldp.c | |
| parent | 979dcefd7b259e9e233f77fe1c5312793bfd948f (diff) | |
| download | tcpdump-34cec721d39c76be1e0a600829a7b17bdfb832b6.tar.gz | |
CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.
If you have a
for (i = 0; i < N; i++)
loop, you'd better make sure that i is big enough to hold N - not N-1,
N.
The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop
counter will overflow and you can loop infinitely.
This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.
Add tests using the capture files supplied by the reporter(s).
Clean up the output a bit while we're at it.
Diffstat (limited to 'print-lldp.c')
| -rw-r--r-- | print-lldp.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/print-lldp.c b/print-lldp.c index fbafd6d5..dfdf1b94 100644 --- a/print-lldp.c +++ b/print-lldp.c @@ -651,7 +651,7 @@ lldp_private_8021_print(netdissect_options *ndo, int subtype, hexdump = FALSE; u_int sublen; u_int tval; - uint8_t i; + u_int i; if (tlv_len < 4) { return hexdump; @@ -787,9 +787,9 @@ lldp_private_8021_print(netdissect_options *ndo, ND_PRINT((ndo, "\n\t Application Priority Table")); while(i<sublen) { tval=*(tptr+i+5); - ND_PRINT((ndo, "\n\t Priority: %d, RES: %d, Sel: %d", - tval >> 5, (tval >> 3) & 0x03, (tval & 0x07))); - ND_PRINT((ndo, "Protocol ID: %d", EXTRACT_16BITS(tptr + i + 5))); + ND_PRINT((ndo, "\n\t Priority: %u, RES: %u, Sel: %u, Protocol ID: %u", + tval >> 5, (tval >> 3) & 0x03, (tval & 0x07), + EXTRACT_16BITS(tptr + i + 5))); i=i+3; } break; |