CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector.

The sub-dissector expects that the length and captured length will reflect the actual remaining data in the packet, not the raw amount including the PKTAP header; pass an updated header, just as we do for PPI. This fixes a buffer over-read discovered by Yannick Formaggio. Add a test using the capture file supplied by the reporter(s).
author: Guy Harris <guy@alum.mit.edu> 2017-03-05 20:21:48 -0800
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: ca336198e8bebccc18502de27672fdbd6eb34856 (patch)
tree: bbe918f6b617e9bab0ce1e7c40bd9f53c4224740 /print-pktap.c
parent: cc4a7391c616be7a64ed65742ef9ed3f106eb165 (diff)
download: tcpdump-ca336198e8bebccc18502de27672fdbd6eb34856.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/print-pktap.c b/print-pktap.c
index 7144f3c6..4a295fdf 100644
--- a/print-pktap.c
+++ b/print-pktap.c
@@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
 	u_int length = h->len;
 	if_printer printer;
 	const pktap_header_t *hdr;
+	struct pcap_pkthdr nhdr;
 
 	if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
 		ND_PRINT((ndo, "[|pktap]"));
@@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,
 
 	case PKT_REC_PACKET:
 		if ((printer = lookup_printer(dlt)) != NULL) {
-			hdrlen += printer(ndo, h, p);
+			nhdr = *h;
+			nhdr.caplen = caplen;
+			nhdr.len = length;
+			hdrlen += printer(ndo, &nhdr, p);
 		} else {
 			if (!ndo->ndo_eflag)
 				pktap_header_print(ndo, (const u_char *)hdr,
author	Guy Harris <guy@alum.mit.edu>	2017-03-05 20:21:48 -0800
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	ca336198e8bebccc18502de27672fdbd6eb34856 (patch)
tree	bbe918f6b617e9bab0ce1e7c40bd9f53c4224740 /print-pktap.c
parent	cc4a7391c616be7a64ed65742ef9ed3f106eb165 (diff)
download	tcpdump-ca336198e8bebccc18502de27672fdbd6eb34856.tar.gz