CVE-2017-13025/IPv6 mobility: Add a bounds check before fetching data

This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s), modified so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'
author: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr> 2017-03-22 17:07:47 +0100
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: 5338aac7b8b880b0c5e0c15e27dadc44c5559284 (patch)
tree: 628002c5e06b40533dcc8839c5e957960d6926aa /print-mobility.c
parent: 7d3aba9f06899d0128ef46e8a2fa143c6fad8f62 (diff)
download: tcpdump-5338aac7b8b880b0c5e0c15e27dadc44c5559284.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/print-mobility.c b/print-mobility.c
index 21a0fbad..44c9a77f 100644
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -159,6 +159,7 @@ mobility_opt_print(netdissect_options *ndo,
 				ND_PRINT((ndo, "(altcoa: trunc)"));
 				goto trunc;
 			}
+			ND_TCHECK_128BITS(&bp[i+2]);
 			ND_PRINT((ndo, "(alt-CoA: %s)", ip6addr_string(ndo, &bp[i+2])));
 			break;
 		case IP6MOPT_NONCEID:
author	Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>	2017-03-22 17:07:47 +0100
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	5338aac7b8b880b0c5e0c15e27dadc44c5559284 (patch)
tree	628002c5e06b40533dcc8839c5e957960d6926aa /print-mobility.c
parent	7d3aba9f06899d0128ef46e8a2fa143c6fad8f62 (diff)
download	tcpdump-5338aac7b8b880b0c5e0c15e27dadc44c5559284.tar.gz