CVE-2016-7985,7986/Change the way protocols print link-layer addresses.

If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.

Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.

Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.

1 files changed, 18 insertions, 4 deletions

diff --git a/print-calm-fast.c b/print-calm-fast.c
index 4e4e51af..c9be008c 100644
--- a/print-calm-fast.c
+++ b/print-calm-fast.c
@@ -37,19 +37,33 @@
  * to the calm header of the packet.
  */
 void
-calm_fast_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length)
+calm_fast_print(netdissect_options *ndo, const u_char *bp, u_int length, const struct lladdr_info *src)
 {
-	int srcNwref = bp[0];
-	int dstNwref = bp[1];
+	int srcNwref;
+	int dstNwref;
+
+	ND_TCHECK2(*bp, 2);
+	if (length < 2)
+		goto trunc;
+	srcNwref = bp[0];
+	dstNwref = bp[1];
 	length -= 2;
 	bp += 2;
 
-	ND_PRINT((ndo, "CALM FAST src:%s; ", etheraddr_string(ndo, eth+6)));
+	ND_PRINT((ndo, "CALM FAST"));
+	if (src != NULL)
+		ND_PRINT((ndo, " src:%s", (src->addr_string)(ndo, src->addr)));
+	ND_PRINT((ndo, "; "));
 	ND_PRINT((ndo, "SrcNwref:%d; ", srcNwref));
 	ND_PRINT((ndo, "DstNwref:%d; ", dstNwref));
 
 	if (ndo->ndo_vflag)
 		ND_DEFAULTPRINT(bp, length);
+	return;
+
+trunc:
+	ND_PRINT((ndo, "[|calm fast]"));
+	return;
 }