CVE-2016-7985,7986/Change the way protocols print link-layer addresses.

If a protocol that runs under a link-layer protocol would print the
link-layer addresses for the packet as source and destination addresses
for the packet, don't have it blithely assume those link-layer addresses
are present or are at a particular offset from the beginning of that
protocol's data; Ethertypes, for example, are used by a number of
protocols, not all of which have Ethernet headers and not all of which
have any MAC headers.

Instead, pass the printers for those protocols structures with a pointer
to the address data and a pointer to a routine that prints the address.

Fixes some heap overflows found with American Fuzzy Lop by Hanno Böck.

1 files changed, 7 insertions, 1 deletions

diff --git a/print-ipfc.c b/print-ipfc.c
index fc204652..b8a08e96 100644
--- a/print-ipfc.c
+++ b/print-ipfc.c
@@ -93,6 +93,7 @@ ipfc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen)
 {
 	const struct ipfc_header *ipfcp = (const struct ipfc_header *)p;
 	struct ether_header ehdr;
+	struct lladdr_info src, dst;
 	int llc_hdrlen;
 
 	if (caplen < IPFC_HDRLEN) {
@@ -107,13 +108,18 @@ ipfc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen)
 	if (ndo->ndo_eflag)
 		ipfc_hdr_print(ndo, ipfcp, length, ESRC(&ehdr), EDST(&ehdr));
 
+	src.addr = ESRC(&ehdr);
+	src.addr_string = etheraddr_string;
+	dst.addr = EDST(&ehdr);
+	dst.addr_string = etheraddr_string;
+
 	/* Skip over Network_Header */
 	length -= IPFC_HDRLEN;
 	p += IPFC_HDRLEN;
 	caplen -= IPFC_HDRLEN;
 
 	/* Try to print the LLC-layer header & higher layers */
-	llc_hdrlen = llc_print(ndo, p, length, caplen, ESRC(&ehdr), EDST(&ehdr));
+	llc_hdrlen = llc_print(ndo, p, length, caplen, &src, &dst);
 	if (llc_hdrlen < 0) {
 		/*
 		 * Some kinds of LLC packet we cannot