I checked for files with the copyright by jason and found another underflow,
in another file. It seems that this is an idiom of his. This seems
non-exploitable, but it allows one to underflow the length of a STP frame to
REALLY big.
from tcpdump/print-stp.c:
----->
if (len < 3)
goto truncated;
if (p[0] == LLCSAP_8021D && p[1] == LLCSAP_8021D && p[2] == LLC_UI)
printf("802.1d");
else if (p[0] == LLCSAP_SNAP && p[1] == LLCSAP_SNAP && p[2] == LLC_UI) {
proto = STP_PROTO_SSTP;
printf("SSTP");
p += 5;
len -= 5;
<-----
Here len is checked to fit in 3 bytes, but then len is decremented by 5 bytes
which could cause an underflow and len is now really large and p is beyond the
frame.
Best Regards,
-peter
