From f305b205c5678bfc675ba7f9578343f6ab204899 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 25 Apr 2023 13:37:56 -0700
Subject: nhrp: fix infinite loop on malformed packets.

If a CIE doesn't fit in the remainder of the mandatory part, return the
length of that remainder, so that the loop processing the CIE
terminates.

Add capture that produced the infinite loop.
---
 print-nhrp.c         |  10 ++++++++++
 tests/TESTLIST       |   1 +
 tests/pb_nhrp_1.out  |   2 ++
 tests/pb_nhrp_1.pcap | Bin 0 -> 124 bytes
 4 files changed, 13 insertions(+)
 create mode 100644 tests/pb_nhrp_1.out
 create mode 100644 tests/pb_nhrp_1.pcap

diff --git a/print-nhrp.c b/print-nhrp.c
index 800d5c53..6947a7ca 100644
--- a/print-nhrp.c
+++ b/print-nhrp.c
@@ -480,5 +480,15 @@ nhrp_print_cie(netdissect_options *ndo, const u_char *data, uint16_t mand_part_l
 
 invalid:
 	nd_print_invalid(ndo);
+
+	/*
+	 * We get here because this CIE goes past thE remaining length,
+	 * of the mandatory part.  We've reported that error; we now
+	 * assignt he insufficnetly-large remaining piece of the
+	 * mandatory part to this CIE, so that this CIE finishes up
+	 * the mandatory part, and the loop processing the CIEs
+	 * terminates.  There cannot be any CIEs after this one.
+	 */
+	cie_len += mand_part_len;
 	return (cie_len);
 }
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 6dd75921..dbc38425 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -918,6 +918,7 @@ NHRP_registration		NHRP_registration.pcap		NHRP_registration.out	-v
 NHRP-responder-address		NHRP-responder-address.pcap	NHRP-responder-address.out	-v
 nhrp-trace			nhrp-trace.pcap			nhrp-trace.out	-v
 nhrp				nhrp.pcap			nhrp.out	-v
+pb_nhrp_1			pb_nhrp_1.pcap			pb_nhrp_1.out	-v
 
 # Undefined behavior tests
 ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out
diff --git a/tests/pb_nhrp_1.out b/tests/pb_nhrp_1.out
new file mode 100644
index 00000000..a1b5f94f
--- /dev/null
+++ b/tests/pb_nhrp_1.out
@@ -0,0 +1,2 @@
+    1  13:37:05.16842874 IP (tos 0xc, id 0, offset 0, flags [rsvd], proto unknown (54), length 64, options (unknown 107 [bad length 37]), bad cksum 101 (->41a4)!)
+    62.41.66.144 > 191.215.63.14: NHRP: res request, id 0, hopcnt 103, unknown-nbma-addr-family-5dc9 (01), proto type 007b 67 -> 49 [remaining mandatory part length 8 < 12] (invalid)
diff --git a/tests/pb_nhrp_1.pcap b/tests/pb_nhrp_1.pcap
new file mode 100644
index 00000000..35791942
Binary files /dev/null and b/tests/pb_nhrp_1.pcap differ
-- 
cgit v1.2.1