]> The Tcpdump Group git mirrors - tcpdump/commit
CVE-2017-13048/RSVP: fix decoding of Fast Reroute objects
authorDenis Ovsienko <[email protected]>
Sun, 6 Aug 2017 17:45:09 +0000 (18:45 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit3c8a2b0e91d8d8947e89384dacf6b54673083e71
treeeea9fe0ae3562b088c46a83231da62de652b068c
parent6283c99a5196cb97399ca68f8793db6fde00b6af
CVE-2017-13048/RSVP: fix decoding of Fast Reroute objects

In rsvp_obj_print() the case block for Class-Num 205 (FAST_REROUTE) from
RFC 4090 Section 4.1 could over-read accessing the buffer contents before
making the bounds check. Rearrange those steps the correct way around.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
print-rsvp.c
tests/TESTLIST
tests/rsvp_fast_reroute-oobr.out [new file with mode: 0644]
tests/rsvp_fast_reroute-oobr.pcap [new file with mode: 0644]