CVE-2017-13049/Rx: add a missing bounds check for Ubik

One of the case blocks in ubik_print() didn't check bounds before fetching 32 bits of packet data and could overread past the captured packet data by that amount. This fixes a buffer over-read discovered by Henri Salo from Nixu Corporation. Add a test using the capture file supplied by the reporter(s).
author: Denis Ovsienko <denis@ovsienko.info> 2017-08-04 17:15:07 +0100
committer: Denis Ovsienko <denis@ovsienko.info> 2017-09-13 12:25:44 +0100
commit: aa0858100096a3490edf93034a80e66a4d61aad5 (patch)
tree: 65778eaa41d957baa670808b79edae52fe4a9511 /print-rx.c
parent: d515b4b4a300479cdf1a6e0d1bb95bc1f9fee514 (diff)
download: tcpdump-aa0858100096a3490edf93034a80e66a4d61aad5.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/print-rx.c b/print-rx.c
index 9df6b6ae..741d3043 100644
--- a/print-rx.c
+++ b/print-rx.c
@@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
 			INTOUT();
 			ND_PRINT((ndo, " length"));
 			INTOUT();
+			ND_TCHECK_32BITS(bp);
 			temp = EXTRACT_32BITS(bp);
 			bp += sizeof(int32_t);
 			tok2str(ubik_lock_types, "type %d", temp);
author	Denis Ovsienko <denis@ovsienko.info>	2017-08-04 17:15:07 +0100
committer	Denis Ovsienko <denis@ovsienko.info>	2017-09-13 12:25:44 +0100
commit	aa0858100096a3490edf93034a80e66a4d61aad5 (patch)
tree	65778eaa41d957baa670808b79edae52fe4a9511 /print-rx.c
parent	d515b4b4a300479cdf1a6e0d1bb95bc1f9fee514 (diff)
download	tcpdump-aa0858100096a3490edf93034a80e66a4d61aad5.tar.gz