CVE-2017-5342/pass correct caplen value to ether_print()

In that function the "length" parameter means off-the-wire length, that
is, the length declared inside the outer header. The "caplen" parameter
means the amount of bytes actually available in the captured packet.

gre_print_0() and the functions modelled after it passed the value of
"length" instead of the value of "caplen", this could make ether_print()
access beyond the memory allocated for the captured packet. Brian
Carpenter had demonstrated this for the OTV case.

Fix the involved functions that call ether_print() to pass the correct
value and leave a comment to dismiss "caplen" later as its value can be
reliably derived from the other ether_print() parameters.

1 files changed, 1 insertions, 1 deletions

diff --git a/print-vxlan-gpe.c b/print-vxlan-gpe.c
index a3c214d3..6d170de1 100644
--- a/print-vxlan-gpe.c
+++ b/print-vxlan-gpe.c
@@ -92,7 +92,7 @@ vxlan_gpe_print(netdissect_options *ndo, const u_char *bp, u_int len)
         ip6_print(ndo, bp, len - 8);
         break;
     case 0x3:
-        ether_print(ndo, bp, len - 8, len - 8, NULL, NULL);
+        ether_print(ndo, bp, len - 8, ndo->ndo_snapend - bp, NULL, NULL);
         break;
     case 0x4:
         nsh_print(ndo, bp, len - 8);