lwres: Fix an undefined behavior in pointer arithmetic

fenner · fxlb · commit b016347e5bb2 · 2023-05-02T21:13:19.000+02:00
Check for truncation before doing pointer arithmetic to point to the end of the packet. print-lwres.c:294:10: runtime error: addition of unsigned offset to 0xf3b032be overflowed to 0x9652d560 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-lwres.c:294:10 [Part of the PR #1012]
diff --git a/print-lwres.c b/print-lwres.c
@@ -291,7 +291,9 @@ lwres_print(netdissect_options *ndo,
 	if (ndo->ndo_vflag || v != LWRES_LWPACKETVERSION_0)
 		ND_PRINT(" v%u", v);
 	if (v != LWRES_LWPACKETVERSION_0) {
-		s = bp + GET_BE_U_4(np->length);
+		uint32_t pkt_len = GET_BE_U_4(np->length);
+		ND_TCHECK_LEN(bp, pkt_len);
+		s = bp + pkt_len;
 		goto tail;
 	}
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
@@ -927,3 +927,4 @@ pb_nhrp_1			pb_nhrp_1.pcap			pb_nhrp_1.out	-v
 # Undefined behavior tests
 ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-unsigned.out
 ip6-snmp-oid-unsigned ip6-snmp-oid-unsigned.pcap ip6-snmp-oid-unsigned.out
+lwres-pointer-arithmetic-ub lwres-pointer-arithmetic-ub.pcap lwres-pointer-arithmetic-ub.out
diff --git a/tests/lwres-pointer-arithmetic-ub.out b/tests/lwres-pointer-arithmetic-ub.out
@@ -0,0 +1 @@
+    1  14:31:29.364332 IP6 fe80:0:10ff:15:1800:1a00:0:100.921 > a00:300:115:1800:1a00:f4:100:a00.0:  lwres v41634 [|lwres]
diff --git a/tests/lwres-pointer-arithmetic-ub.pcap b/tests/lwres-pointer-arithmetic-ub.pcap

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ 1 14:31:29.364332 IP6 fe80:0:10ff:15:1800:1a00:0:100.921 > a00:300:115:1800:1a00:f4:100:a00.0: lwres v41634 [\|lwres]`