CVE-2016-7985,7986/fixup medsa_print()

The code in medsa_print() assumed that the MEDSA packet always follows
an Ethernet header that is inside the allocated memory buffer. But
this is not always the case, see commit 6bc4429 for rationale.

Eliminate the Ethernet header pointer and just pass on the struct
lladdr_info arguments provided.

Author: infrastation

netdissect.h

@@ -547,7 +547,7 @@ extern void lwapp_control_print(netdissect_options *, const u_char *, u_int, int
 extern void lwapp_data_print(netdissect_options *, const u_char *, u_int);
 extern void lwres_print(netdissect_options *, const u_char *, u_int);
 extern void m3ua_print(netdissect_options *, const u_char *, const u_int);
-extern void medsa_print(netdissect_options *, const u_char *, u_int, u_int);
+extern void medsa_print(netdissect_options *, const u_char *, u_int, u_int, const struct lladdr_info *, const struct lladdr_info *);
 extern u_int mfr_print(netdissect_options *, register const u_char *, u_int);
 extern void mobile_print(netdissect_options *, const u_char *, u_int);
 extern int mobility_print(netdissect_options *, const u_char *, const u_char *);

print-ether.c

@@ -439,7 +439,7 @@ ethertype_print(netdissect_options *ndo,
 		return (1);
 
 	case ETHERTYPE_MEDSA:
-		medsa_print(ndo, p, length, caplen);
+		medsa_print(ndo, p, length, caplen, src, dst);
 		return (1);
 
 	case ETHERTYPE_LAT:

print-medsa.c

@@ -138,15 +138,13 @@ medsa_print_full(netdissect_options *ndo,
 
 void
 medsa_print(netdissect_options *ndo,
-	    const u_char *bp, u_int length, u_int caplen)
+	    const u_char *bp, u_int length, u_int caplen,
+	    const struct lladdr_info *src, const struct lladdr_info *dst)
 {
-	register const struct ether_header *ep;
 	const struct medsa_pkthdr *medsa;
-	struct lladdr_info src, dst;
 	u_short ether_type;
 
 	medsa = (const struct medsa_pkthdr *)bp;
-	ep = (const struct ether_header *)(bp - sizeof(*ep));
 	ND_TCHECK(*medsa);
 
 	if (!ndo->ndo_eflag)
@@ -159,14 +157,10 @@ medsa_print(netdissect_options *ndo,
 	length -= 8;
 	caplen -= 8;
 
-	src.addr = ESRC(ep);
-	src.addr_string = etheraddr_string;
-	dst.addr = EDST(ep);
-	dst.addr_string = etheraddr_string;
 	ether_type = EXTRACT_16BITS(&medsa->ether_type);
 	if (ether_type <= ETHERMTU) {
 		/* Try to print the LLC-layer header & higher layers */
-		if (llc_print(ndo, bp, length, caplen, &src, &dst) < 0) {
+		if (llc_print(ndo, bp, length, caplen, src, dst) < 0) {
 			/* packet type not known, print raw packet */
 			if (!ndo->ndo_suppress_default_print)
 				ND_DEFAULTPRINT(bp, caplen);
@@ -177,8 +171,7 @@ medsa_print(netdissect_options *ndo,
 				  tok2str(ethertype_values, "Unknown",
 					  ether_type),
 				  ether_type));
-
-		if (ethertype_print(ndo, ether_type, bp, length, caplen, &src, &dst) == 0) {
+		if (ethertype_print(ndo, ether_type, bp, length, caplen, src, dst) == 0) {
 			/* ether_type not known, print raw packet */
 			if (!ndo->ndo_eflag)
 				ND_PRINT((ndo, "ethertype %s (0x%04x) ",