From aa0858100096a3490edf93034a80e66a4d61aad5 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Fri, 4 Aug 2017 17:15:07 +0100
Subject: CVE-2017-13049/Rx: add a missing bounds check for Ubik

One of the case blocks in ubik_print() didn't check bounds before
fetching 32 bits of packet data and could overread past the captured
packet data by that amount.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).
---
 print-rx.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'print-rx.c')

diff --git a/print-rx.c b/print-rx.c
index 9df6b6ae..741d3043 100644
--- a/print-rx.c
+++ b/print-rx.c
@@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
 			INTOUT();
 			ND_PRINT((ndo, " length"));
 			INTOUT();
+			ND_TCHECK_32BITS(bp);
 			temp = EXTRACT_32BITS(bp);
 			bp += sizeof(int32_t);
 			tok2str(ubik_lock_types, "type %d", temp);
-- 
cgit v1.2.1