CVE-2016-7931/Add bounds and length checks.

Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
author: Guy Harris <guy@alum.mit.edu> 2015-07-03 18:07:35 -0700
committer: Francois-Xavier Le Bail <fx.lebail@yahoo.com> 2017-01-18 09:16:36 +0100
commit: 69ead2a09cf7d0666c6a7ac12e47fd9743242c61 (patch)
tree: 02fede169d4ade27fa380d29e0df67a3e59e3af8 /print-mpls.c
parent: b56aab38621915a192be3fab9334207a12b1cb9a (diff)
download: tcpdump-69ead2a09cf7d0666c6a7ac12e47fd9743242c61.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/print-mpls.c b/print-mpls.c
index 6d0539e6..f6ee434e 100644
--- a/print-mpls.c
+++ b/print-mpls.c
@@ -68,6 +68,10 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
 	ND_PRINT((ndo, "MPLS"));
 	do {
 		ND_TCHECK2(*p, sizeof(label_entry));
+		if (length < sizeof(label_entry)) {
+			ND_PRINT((ndo, "[|MPLS], length %u", length));
+			return;
+		}
 		label_entry = EXTRACT_32BITS(p);
 		ND_PRINT((ndo, "%s(label %u",
 		       (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ",
@@ -82,6 +86,7 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
 		ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry)));
 
 		p += sizeof(label_entry);
+		length -= sizeof(label_entry);
 	} while (!MPLS_STACK(label_entry));
 
 	/*
@@ -124,6 +129,11 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
 		 * Cisco sends control-plane traffic MPLS-encapsulated in
 		 * this fashion.
 		 */
+		ND_TCHECK(*p);
+		if (length < 1) {
+			/* nothing to print */
+			return;
+		}
 		switch(*p) {
 
 		case 0x45:
author	Guy Harris <guy@alum.mit.edu>	2015-07-03 18:07:35 -0700
committer	Francois-Xavier Le Bail <fx.lebail@yahoo.com>	2017-01-18 09:16:36 +0100
commit	69ead2a09cf7d0666c6a7ac12e47fd9743242c61 (patch)
tree	02fede169d4ade27fa380d29e0df67a3e59e3af8 /print-mpls.c
parent	b56aab38621915a192be3fab9334207a12b1cb9a (diff)
download	tcpdump-69ead2a09cf7d0666c6a7ac12e47fd9743242c61.tar.gz