File 0003-test-case-for-cve2015-0261-corrupted-IPv6-mobility-h.patch of Package tcpdump.510

From 089ec2bd856dd17f6db62150b92ab7bb723bb31f Mon Sep 17 00:00:00 2001
From: Michael Richardson <mcr@sandelman.ca>
Date: Sun, 15 Feb 2015 21:22:11 -0500
Subject: [PATCH 3/3] test case for cve2015-0261 -- corrupted IPv6 mobility
 header backport to 4.3

---
 print-mobility.c              |   26 +++++++++++++++++++++++---
 tests/TESTLIST                |   21 +++++++++++++--------
 tests/cve2015-0261-crash.out  |    1 +
 tests/cve2015-0261-crash.pcap |  Bin 0 -> 201 bytes
 tests/cve2015-0261-ipv6.out   |    3 +++
 tests/cve2015-0261-ipv6.pcap  |  Bin 0 -> 682 bytes
 6 files changed, 40 insertions(+), 11 deletions(-)
 create mode 100644 tests/cve2015-0261-crash.out
 create mode 100644 tests/cve2015-0261-crash.pcap
 create mode 100644 tests/cve2015-0261-ipv6.out
 create mode 100644 tests/cve2015-0261-ipv6.pcap

Index: tcpdump-4.4.0/print-mobility.c
===================================================================
--- tcpdump-4.4.0.orig/print-mobility.c	2013-02-21 04:54:35.000000000 +0100
+++ tcpdump-4.4.0/print-mobility.c	2015-03-19 18:29:35.894271954 +0100
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2002 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -13,7 +13,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -74,6 +74,18 @@ struct ip6_mobility {
 #define IP6M_BINDING_UPDATE	5	/* Binding Update */
 #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
 #define IP6M_BINDING_ERROR	7	/* Binding Error */
+#define IP6M_MAX		7
+
+static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
+	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
+	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
+	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
+	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
+	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
+	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
+	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
+};
 
 /* Mobility Header Options */
 #define IP6MOPT_MINLEN		2
@@ -95,16 +107,20 @@ mobility_opt_print(const u_char *bp, int
 	int optlen;
 
 	for (i = 0; i < len; i += optlen) {
+		TCHECK(bp[i]);
 		if (bp[i] == IP6MOPT_PAD1)
 			optlen = 1;
 		else {
-			if (i + 1 < len)
+			if (i + 1 < len) {
+				TCHECK(bp[i + 1]);
 				optlen = bp[i + 1] + 2;
+			}
 			else
 				goto trunc;
 		}
 		if (i + optlen > len)
 			goto trunc;
+		TCHECK(bp[i + optlen]);
 
 		switch (bp[i]) {
 		case IP6MOPT_PAD1:
@@ -201,6 +217,10 @@ mobility_print(const u_char *bp, const u
 
 	TCHECK(mh->ip6m_type);
 	type = mh->ip6m_type;
+	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
+                printf("(header length %u is too small for type %u)", mhlen, type);
+		goto trunc;
+	}
 	switch (type) {
 	case IP6M_BINDING_REQUEST:
 		printf("mobility: BRR");