From b2979088bc6baf8f965210f56f81e33eecfa2e1e Mon Sep 17 00:00:00 2001
From: Bill Fenner <fenner@gmail.com>
Date: Tue, 11 Oct 2022 13:05:55 -0700
Subject: [PATCH] lwres: avoid undefined behavior in pointer arithmetic

Check for truncation before doing pointer arithmetic to point
to the end of the packet.

print-lwres.c:294:10: runtime error: addition of unsigned offset to 0xf3b032be overflowed to 0x9652d560
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-lwres.c:294:10 in
print-lwres.c:549:29: runtime error: addition of unsigned offset to 0xf3b032be overflowed to 0x9652d560
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-lwres.c:549:29 in
---
 print-lwres.c                          |   4 +++-
 tests/TESTLIST                         |   1 +
 tests/lwres-pointer-arithmetic-ub.out  |   1 +
 tests/lwres-pointer-arithmetic-ub.pcap | Bin 0 -> 283 bytes
 4 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 tests/lwres-pointer-arithmetic-ub.out
 create mode 100644 tests/lwres-pointer-arithmetic-ub.pcap

diff --git a/print-lwres.c b/print-lwres.c
index 1c195a4d68..664146af59 100644
--- a/print-lwres.c
+++ b/print-lwres.c
@@ -291,7 +291,9 @@ lwres_print(netdissect_options *ndo,
 	if (ndo->ndo_vflag || v != LWRES_LWPACKETVERSION_0)
 		ND_PRINT(" v%u", v);
 	if (v != LWRES_LWPACKETVERSION_0) {
-		s = bp + GET_BE_U_4(np->length);
+		uint32_t pkt_len = GET_BE_U_4(np->length);
+		ND_TCHECK_LEN(bp, pkt_len);
+		s = bp + pkt_len;
 		goto tail;
 	}
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 94a986e2a0..ed73632b73 100644
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -915,3 +915,4 @@ bgp-ub  bgp-ub.pcap     bgp-ub.out      -v
 fletcher-checksum-negative-shift fletcher-checksum-negative-shift.pcap fletcher-checksum-negative-shift.out     -v
 ip-snmp-leftshift-unsigned      ip-snmp-leftshift-unsigned.pcap      ip-snmp-leftshift-unsigned.out
 ip6-snmp-oid-unsigned   ip6-snmp-oid-unsigned.pcap      ip6-snmp-oid-unsigned.out
+lwres-pointer-arithmetic-ub	lwres-pointer-arithmetic-ub.pcap	lwres-pointer-arithmetic-ub.out
diff --git a/tests/lwres-pointer-arithmetic-ub.out b/tests/lwres-pointer-arithmetic-ub.out
new file mode 100644
index 0000000000..f4953f4b6e
--- /dev/null
+++ b/tests/lwres-pointer-arithmetic-ub.out
@@ -0,0 +1 @@
+    1  14:31:29.364332 IP6 fe80:0:10ff:15:1800:1a00:0:100.921 > a00:300:115:1800:1a00:f4:100:a00.0:  lwres v41634 [|lwres]
diff --git a/tests/lwres-pointer-arithmetic-ub.pcap b/tests/lwres-pointer-arithmetic-ub.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..095fcbcba33b7beb76835d6cb9c200bce6269905
GIT binary patch
literal 283
zcmca|c+)~A1{MYw`2U}Qff2|#Xl0(H)6dHA8OR3V|6nj_g7aO2*0#F|KoN#WL5F`0
z3=9JQ8AK%*q<{j93|tJ%42%%o7cg%o0|Vb8G6B#$MhQ31nGj=xNCGeigS>+ZSW@zH
ijhIVvQlP^B|1mMMumaUFG4KIxWCq#DAgE;Q5()q~>Rspn

literal 0
HcmV?d00001