CVE-2017-13018/PGM: Add a missing bounds check.

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't be rejected as an invalid capture.
author: Guy Harris <guy@alum.mit.edu> 2017-03-21 19:49:28 -0700
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 26a6799b9ca80508c05cac7a9a3bef922991520b (patch)
tree: 297cec0c4cd49d3bd2b992a5c206f4b0a4f97c77 /print-pgm.c
parent: 11b426ee05eb62ed103218526f1fa616851c43ce (diff)
download: tcpdump-26a6799b9ca80508c05cac7a9a3bef922991520b.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/print-pgm.c b/print-pgm.c
index 6d5c01ce..9bd6eac5 100644
--- a/print-pgm.c
+++ b/print-pgm.c
@@ -457,6 +457,10 @@ pgm_print(netdissect_options *ndo,
 		    ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
 		    return;
 		}
+		if (!ND_TTEST2(*bp, 2)) {
+		    ND_PRINT((ndo, " [|OPT]"));
+		    return;
+		}
 		opt_type = *bp++;
 		opt_len = *bp++;
 		if (opt_len < PGM_MIN_OPT_LEN) {
author	Guy Harris <guy@alum.mit.edu>	2017-03-21 19:49:28 -0700
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	26a6799b9ca80508c05cac7a9a3bef922991520b (patch)
tree	297cec0c4cd49d3bd2b992a5c206f4b0a4f97c77 /print-pgm.c
parent	11b426ee05eb62ed103218526f1fa616851c43ce (diff)
download	tcpdump-26a6799b9ca80508c05cac7a9a3bef922991520b.tar.gz