CVE-2017-13020/VTP: Add some missing bounds checks.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

4 files changed, 9 insertions, 0 deletions

diff --git a/print-vtp.c b/print-vtp.c
index 285beb96..18c1356e 100644
--- a/print-vtp.c
+++ b/print-vtp.c
@@ -223,6 +223,7 @@ vtp_print (netdissect_options *ndo,
 	 *
 	 */
 
+	ND_TCHECK_32BITS(tptr);
 	ND_PRINT((ndo, ", Config Rev %x", EXTRACT_32BITS(tptr)));
 
 	/*
@@ -243,6 +244,7 @@ vtp_print (netdissect_options *ndo,
 	tptr += 4;
 	while (tptr < (pptr+length)) {
 
+	    ND_TCHECK_8BITS(tptr);
 	    len = *tptr;
 	    if (len == 0)
 		break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 94237232..6f5d3314 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -521,6 +521,7 @@ esis_snpa_asan-5	esis_snpa_asan-5.pcap		esis_snpa_asan-5.out	-v
 dhcp6_reconf_asan	dhcp6_reconf_asan.pcap		dhcp6_reconf_asan.out	-v
 pgm_opts_asan		pgm_opts_asan.pcap		pgm_opts_asan.out	-v
 pgm_opts_asan_2		pgm_opts_asan_2.pcap		pgm_opts_asan_2.out	-v
+vtp_asan		vtp_asan.pcap			vtp_asan.out	-v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/vtp_asan.out b/tests/vtp_asan.out
new file mode 100644
index 00000000..17b682bf
--- /dev/null
+++ b/tests/vtp_asan.out
@@ -0,0 +1,6 @@
+FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013
+	Domain name: , Seq number: 0[|vtp]
+[|mfr]
+[|mfr]
+[|mfr]
+[|mfr]
diff --git a/tests/vtp_asan.pcap b/tests/vtp_asan.pcap
new file mode 100644
index 00000000..515828a0
--- /dev/null
+++ b/tests/vtp_asan.pcap