CVE-2016-7929/Make sure a Juniper header TLV isn't bigger than what's left in the packet.
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.
diff --git a/print-juniper.c b/print-juniper.c
index 4fb5453..83ac372 100644
--- a/print-juniper.c
+++ b/print-juniper.c
@@ -92,7 +92,7 @@
};
/* 1 byte type and 1-byte length */
-#define JUNIPER_EXT_TLV_OVERHEAD 2
+#define JUNIPER_EXT_TLV_OVERHEAD 2U
static const struct tok jnx_ext_tlv_values[] = {
{ JUNIPER_EXT_TLV_IFD_IDX, "Device Interface Index" },
@@ -1203,9 +1203,11 @@
tlv_len = *(tptr++);
tlv_value = 0;
- /* sanity check */
+ /* sanity checks */
if (tlv_type == 0 || tlv_len == 0)
break;
+ if (tlv_len+JUNIPER_EXT_TLV_OVERHEAD > jnx_ext_len)
+ goto trunc;
if (ndo->ndo_vflag > 1)
ND_PRINT((ndo, "\n\t %s Extension TLV #%u, length %u, value ",
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 7e37acc..eda358a 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -399,3 +399,4 @@
stp-heapoverflow-4 stp-heapoverflow-4.pcap stp-heapoverflow-4.out -t -v -n
stp-heapoverflow-5 stp-heapoverflow-5.pcap stp-heapoverflow-5.out -t -v -n
arp-too-long-tha arp-too-long-tha.pcap arp-too-long-tha.out -t -v -n
+juniper_header-heapoverflow juniper_header-heapoverflow.pcap juniper_header-heapoverflow.out -t -v -n
diff --git a/tests/juniper_header-heapoverflow.out b/tests/juniper_header-heapoverflow.out
new file mode 100644
index 0000000..b13cfbe
--- /dev/null
+++ b/tests/juniper_header-heapoverflow.out
@@ -0,0 +1 @@
+[|juniper_hdr], length 808464432
diff --git a/tests/juniper_header-heapoverflow.pcap b/tests/juniper_header-heapoverflow.pcap
new file mode 100644
index 0000000..89cc331
--- /dev/null
+++ b/tests/juniper_header-heapoverflow.pcap
Binary files differ
