CVE-2016-7940/Add a bunch of bounds checks, and fix some printing.
The bounds checks fix some heap overflows found with American Fuzzy Lop
by Hanno Böck.
Add some ND_TTEST_/ND_TCHECK_ macros to extract.h to simplify writing
bounds checks for code that uses the other macros in that file.
Fix the printing of the SPB BPDU agreement digest - I don't think the
intent was to print the value of the first 4 bytes, that value + 4, that
value + 8, etc., I suspect it was to print the first 4 bytes, the next 4
bytes, etc..
diff --git a/extract.h b/extract.h
index f0c4570..23623c2 100644
--- a/extract.h
+++ b/extract.h
@@ -215,3 +215,30 @@
((uint64_t)(*((const uint8_t *)(p) + 2)) << 16) | \
((uint64_t)(*((const uint8_t *)(p) + 1)) << 8) | \
((uint64_t)(*((const uint8_t *)(p) + 0)) << 0)))
+
+/*
+ * Macros to check the presence of the values in question.
+ */
+#define ND_TTEST_8BITS(p) ND_TTEST2(*(p), 1)
+#define ND_TCHECK_8BITS(p) ND_TCHECK2(*(p), 1)
+
+#define ND_TTEST_16BITS(p) ND_TTEST2(*(p), 2)
+#define ND_TCHECK_16BITS(p) ND_TCHECK2(*(p), 2)
+
+#define ND_TTEST_24BITS(p) ND_TTEST2(*(p), 3)
+#define ND_TCHECK_24BITS(p) ND_TCHECK2(*(p), 3)
+
+#define ND_TTEST_32BITS(p) ND_TTEST2(*(p), 4)
+#define ND_TCHECK_32BITS(p) ND_TCHECK2(*(p), 4)
+
+#define ND_TTEST_40BITS(p) ND_TTEST2(*(p), 5)
+#define ND_TCHECK_40BITS(p) ND_TCHECK2(*(p), 5)
+
+#define ND_TTEST_48BITS(p) ND_TTEST2(*(p), 6)
+#define ND_TCHECK_48BITS(p) ND_TCHECK2(*(p), 6)
+
+#define ND_TTEST_56BITS(p) ND_TTEST2(*(p), 7)
+#define ND_TCHECK_56BITS(p) ND_TCHECK2(*(p), 7)
+
+#define ND_TTEST_64BITS(p) ND_TTEST2(*(p), 8)
+#define ND_TCHECK_64BITS(p) ND_TCHECK2(*(p), 8)
diff --git a/print-stp.c b/print-stp.c
index f083029..953715b 100644
--- a/print-stp.c
+++ b/print-stp.c
@@ -84,6 +84,8 @@
{ 0, NULL}
};
+#define ND_TCHECK_BRIDGE_ID(p) ND_TCHECK2(*(p), 8)
+
static char *
stp_print_bridge_id(const u_char *p)
{
@@ -96,22 +98,25 @@
return bridge_id_str;
}
-static void
+static int
stp_print_config_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
u_int length)
{
+ ND_TCHECK(stp_bpdu->flags);
ND_PRINT((ndo, ", Flags [%s]",
bittok2str(stp_bpdu_flag_values, "none", stp_bpdu->flags)));
+ ND_TCHECK(stp_bpdu->port_id);
ND_PRINT((ndo, ", bridge-id %s.%04x, length %u",
stp_print_bridge_id((const u_char *)&stp_bpdu->bridge_id),
EXTRACT_16BITS(&stp_bpdu->port_id), length));
/* in non-verbose mode just print the bridge-id */
if (!ndo->ndo_vflag) {
- return;
+ return 1;
}
+ ND_TCHECK(stp_bpdu->forward_delay);
ND_PRINT((ndo, "\n\tmessage-age %.2fs, max-age %.2fs"
", hello-time %.2fs, forwarding-delay %.2fs",
(float)EXTRACT_16BITS(&stp_bpdu->message_age) / STP_TIME_BASE,
@@ -129,6 +134,10 @@
tok2str(rstp_obj_port_role_values, "Unknown",
RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
}
+ return 1;
+
+trunc:
+ return 0;
}
/*
@@ -227,7 +236,7 @@
#define SPB_BPDU_AGREEMENT_DIGEST_OFFSET SPB_BPDU_AGREEMENT_RES2_OFFSET + 4
-static void
+static int
stp_print_mstp_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
u_int length)
{
@@ -245,22 +254,26 @@
* in non-verbose mode just print the flags.
*/
if (!ndo->ndo_vflag) {
- return;
+ return 1;
}
ND_PRINT((ndo, "\n\tport-role %s, ",
tok2str(rstp_obj_port_role_values, "Unknown",
RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
+ ND_TCHECK(stp_bpdu->root_path_cost);
ND_PRINT((ndo, "CIST root-id %s, CIST ext-pathcost %u ",
stp_print_bridge_id((const u_char *)&stp_bpdu->root_id),
EXTRACT_32BITS(&stp_bpdu->root_path_cost)));
+ ND_TCHECK(stp_bpdu->bridge_id);
ND_PRINT((ndo, "\n\tCIST regional-root-id %s, ",
stp_print_bridge_id((const u_char *)&stp_bpdu->bridge_id)));
+ ND_TCHECK(stp_bpdu->port_id);
ND_PRINT((ndo, "CIST port-id %04x, ", EXTRACT_16BITS(&stp_bpdu->port_id)));
+ ND_TCHECK(stp_bpdu->forward_delay);
ND_PRINT((ndo, "\n\tmessage-age %.2fs, max-age %.2fs"
", hello-time %.2fs, forwarding-delay %.2fs",
(float)EXTRACT_16BITS(&stp_bpdu->message_age) / STP_TIME_BASE,
@@ -268,7 +281,9 @@
(float)EXTRACT_16BITS(&stp_bpdu->hello_time) / STP_TIME_BASE,
(float)EXTRACT_16BITS(&stp_bpdu->forward_delay) / STP_TIME_BASE));
+ ND_TCHECK_16BITS(ptr + MST_BPDU_VER3_LEN_OFFSET);
ND_PRINT((ndo, "\n\tv3len %d, ", EXTRACT_16BITS(ptr + MST_BPDU_VER3_LEN_OFFSET)));
+ ND_TCHECK_32BITS(ptr + MST_BPDU_CONFIG_DIGEST_OFFSET + 12);
ND_PRINT((ndo, "MCID Name %s, rev %u, "
"\n\t\tdigest %08x%08x%08x%08x, ",
ptr + MST_BPDU_CONFIG_NAME_OFFSET,
@@ -278,20 +293,26 @@
EXTRACT_32BITS(ptr + MST_BPDU_CONFIG_DIGEST_OFFSET + 8),
EXTRACT_32BITS(ptr + MST_BPDU_CONFIG_DIGEST_OFFSET + 12)));
+ ND_TCHECK_32BITS(ptr + MST_BPDU_CIST_INT_PATH_COST_OFFSET);
ND_PRINT((ndo, "CIST int-root-pathcost %u, ",
EXTRACT_32BITS(ptr + MST_BPDU_CIST_INT_PATH_COST_OFFSET)));
+ ND_TCHECK_BRIDGE_ID(ptr + MST_BPDU_CIST_BRIDGE_ID_OFFSET);
ND_PRINT((ndo, "\n\tCIST bridge-id %s, ",
stp_print_bridge_id(ptr + MST_BPDU_CIST_BRIDGE_ID_OFFSET)));
+ ND_TCHECK(ptr[MST_BPDU_CIST_REMAIN_HOPS_OFFSET]);
ND_PRINT((ndo, "CIST remaining-hops %d", ptr[MST_BPDU_CIST_REMAIN_HOPS_OFFSET]));
/* Dump all MSTI's */
+ ND_TCHECK_16BITS(ptr + MST_BPDU_VER3_LEN_OFFSET);
v3len = EXTRACT_16BITS(ptr + MST_BPDU_VER3_LEN_OFFSET);
if (v3len > MST_BPDU_CONFIG_INFO_LENGTH) {
len = v3len - MST_BPDU_CONFIG_INFO_LENGTH;
offset = MST_BPDU_MSTI_OFFSET;
while (len >= MST_BPDU_MSTI_LENGTH) {
+ ND_TCHECK2(*(ptr + offset), MST_BPDU_MSTI_LENGTH);
+
msti = EXTRACT_16BITS(ptr + offset +
MST_BPDU_MSTI_ROOT_PRIO_OFFSET);
msti = msti & 0x0FFF;
@@ -314,9 +335,13 @@
offset += MST_BPDU_MSTI_LENGTH;
}
}
+ return 1;
+
+trunc:
+ return 0;
}
-static void
+static int
stp_print_spb_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
u_int offset)
{
@@ -326,10 +351,13 @@
* in non-verbose mode don't print anything.
*/
if (!ndo->ndo_vflag) {
- return;
+ return 1;
}
ptr = (const u_char *)stp_bpdu;
+ if (!ND_TTEST_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET+16))
+ return 0;
+
ND_PRINT((ndo, "\n\tv4len %d AUXMCID Name %s, Rev %u, \n\t\tdigest %08x%08x%08x%08x",
EXTRACT_16BITS (ptr + offset),
ptr + offset + SPB_BPDU_CONFIG_NAME_OFFSET,
@@ -353,10 +381,11 @@
ptr[offset + SPB_BPDU_AGREEMENT_CON_OFFSET]&0x00ff,
EXTRACT_16BITS(ptr + offset + SPB_BPDU_AGREEMENT_EDGE_OFFSET),
EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET),
- EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET)+4,
- EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET)+8,
- EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET)+12,
- EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET)+16));
+ EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET+4),
+ EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET+8),
+ EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET+12),
+ EXTRACT_32BITS(ptr + offset + SPB_BPDU_AGREEMENT_DIGEST_OFFSET+16)));
+ return 1;
}
/*
@@ -375,11 +404,13 @@
if (length < 4)
goto trunc;
+ ND_TCHECK(stp_bpdu->protocol_id);
if (EXTRACT_16BITS(&stp_bpdu->protocol_id)) {
ND_PRINT((ndo, "unknown STP version, length %u", length));
return;
}
+ ND_TCHECK(stp_bpdu->protocol_version);
ND_PRINT((ndo, "STP %s", tok2str(stp_proto_values, "Unknown STP protocol (0x%02x)",
stp_bpdu->protocol_version)));
@@ -393,6 +424,7 @@
return;
}
+ ND_TCHECK(stp_bpdu->bpdu_type);
ND_PRINT((ndo, ", %s", tok2str(stp_bpdu_type_values, "Unknown BPDU Type (0x%02x)",
stp_bpdu->bpdu_type)));
@@ -401,7 +433,8 @@
if (length < sizeof(struct stp_bpdu_) - 1) {
goto trunc;
}
- stp_print_config_bpdu(ndo, stp_bpdu, length);
+ if (!stp_print_config_bpdu(ndo, stp_bpdu, length))
+ goto trunc;
break;
case STP_BPDU_TYPE_RSTP:
@@ -409,25 +442,29 @@
if (length < sizeof(struct stp_bpdu_)) {
goto trunc;
}
- stp_print_config_bpdu(ndo, stp_bpdu, length);
+ if (!stp_print_config_bpdu(ndo, stp_bpdu, length))
+ goto trunc;
} else if (stp_bpdu->protocol_version == STP_PROTO_MSTP ||
stp_bpdu->protocol_version == STP_PROTO_SPB) {
if (length < STP_BPDU_MSTP_MIN_LEN) {
goto trunc;
}
+ ND_TCHECK(stp_bpdu->v1_length);
if (stp_bpdu->v1_length != 0) {
/* FIX ME: Emit a message here ? */
goto trunc;
}
/* Validate v3 length */
+ ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET);
mstp_len = EXTRACT_16BITS(p + MST_BPDU_VER3_LEN_OFFSET);
mstp_len += 2; /* length encoding itself is 2 bytes */
if (length < (sizeof(struct stp_bpdu_) + mstp_len)) {
goto trunc;
}
- stp_print_mstp_bpdu(ndo, stp_bpdu, length);
+ if (!stp_print_mstp_bpdu(ndo, stp_bpdu, length))
+ goto trunc;
if (stp_bpdu->protocol_version == STP_PROTO_SPB)
{
@@ -438,7 +475,8 @@
spb_len < SPB_BPDU_MIN_LEN) {
goto trunc;
}
- stp_print_spb_bpdu(ndo, stp_bpdu, (sizeof(struct stp_bpdu_) + mstp_len));
+ if (!stp_print_spb_bpdu(ndo, stp_bpdu, (sizeof(struct stp_bpdu_) + mstp_len)))
+ goto trunc;
}
}
break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 2d8ecdf..b625843 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -393,3 +393,8 @@
aarp-heapoverflow-2 aarp-heapoverflow-2.pcap aarp-heapoverflow-2.out -t -v -n
mpls-label-heapoverflow mpls-label-heapoverflow.pcap mpls-label-heapoverflow.out -t -v -n
bad-ipv4-version-pgm-heapoverflow bad-ipv4-version-pgm-heapoverflow.pcap bad-ipv4-version-pgm-heapoverflow.out -t -v -n
+stp-heapoverflow-1 stp-heapoverflow-1.pcap stp-heapoverflow-1.out -t -v -n
+stp-heapoverflow-2 stp-heapoverflow-2.pcap stp-heapoverflow-2.out -t -v -n
+stp-heapoverflow-3 stp-heapoverflow-3.pcap stp-heapoverflow-3.out -t -v -n
+stp-heapoverflow-4 stp-heapoverflow-4.pcap stp-heapoverflow-4.out -t -v -n
+stp-heapoverflow-5 stp-heapoverflow-5.pcap stp-heapoverflow-5.out -t -v -n
diff --git a/tests/stp-heapoverflow-1.out b/tests/stp-heapoverflow-1.out
new file mode 100644
index 0000000..f4cc053
--- /dev/null
+++ b/tests/stp-heapoverflow-1.out
@@ -0,0 +1,27 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 30 00000
+[|stp 808464415]
diff --git a/tests/stp-heapoverflow-1.pcap b/tests/stp-heapoverflow-1.pcap
new file mode 100644
index 0000000..0676585
--- /dev/null
+++ b/tests/stp-heapoverflow-1.pcap
Binary files differ
diff --git a/tests/stp-heapoverflow-2.out b/tests/stp-heapoverflow-2.out
new file mode 100644
index 0000000..17dc5ef
--- /dev/null
+++ b/tests/stp-heapoverflow-2.out
@@ -0,0 +1,27 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+STP 802.1d[|stp 808464415]
diff --git a/tests/stp-heapoverflow-2.pcap b/tests/stp-heapoverflow-2.pcap
new file mode 100644
index 0000000..c1ed6b0
--- /dev/null
+++ b/tests/stp-heapoverflow-2.pcap
Binary files differ
diff --git a/tests/stp-heapoverflow-3.out b/tests/stp-heapoverflow-3.out
new file mode 100644
index 0000000..273a0df
--- /dev/null
+++ b/tests/stp-heapoverflow-3.out
@@ -0,0 +1,27 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 30 000
+[|stp 808464415]
diff --git a/tests/stp-heapoverflow-3.pcap b/tests/stp-heapoverflow-3.pcap
new file mode 100644
index 0000000..3814800
--- /dev/null
+++ b/tests/stp-heapoverflow-3.pcap
Binary files differ
diff --git a/tests/stp-heapoverflow-4.out b/tests/stp-heapoverflow-4.out
new file mode 100644
index 0000000..f2c3258
--- /dev/null
+++ b/tests/stp-heapoverflow-4.out
@@ -0,0 +1,27 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 3030 00000000
+STP 802.1d, Config, Flags [Learn, Forward][|stp 808464415]
diff --git a/tests/stp-heapoverflow-4.pcap b/tests/stp-heapoverflow-4.pcap
new file mode 100644
index 0000000..060f300
--- /dev/null
+++ b/tests/stp-heapoverflow-4.pcap
Binary files differ
diff --git a/tests/stp-heapoverflow-5.out b/tests/stp-heapoverflow-5.out
new file mode 100644
index 0000000..17dc5ef
--- /dev/null
+++ b/tests/stp-heapoverflow-5.out
@@ -0,0 +1,27 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432:
+ 0x0000: 3030 3030 3030 000000
+STP 802.1d[|stp 808464415]
diff --git a/tests/stp-heapoverflow-5.pcap b/tests/stp-heapoverflow-5.pcap
new file mode 100644
index 0000000..c1ed6b0
--- /dev/null
+++ b/tests/stp-heapoverflow-5.pcap
Binary files differ
