]> The Tcpdump Group git mirrors - tcpdump/commit
projects / tcpdump / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 909fb30) | patch
CVE-2017-5204/IPv6: fix header printing
authorDenis Ovsienko <[email protected]>
Mon, 9 Jan 2017 01:01:46 +0000 (01:01 +0000)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:41 +0000 (09:16 +0100)
commitd6913f7e3fc6d3084ab64d179853468e58cdca4b
treeb0bb70ea32ca1559d09935768849a2fa91ff5a1atree
parent909fb30769e92d3f432b41d3eea3c0623bc03c84commit | diff
CVE-2017-5204/IPv6: fix header printing

Add a few checks to ip6_print() to make it stop decoding the IPv6
headers immediately when the header-specific functions signal an error
condition. Without this it tried to fetch the next header selector for
the next round regardless and could run outside of the allocated packet
space on a specially crafted IPv6 packet.

Brian Carpenter has demonstrated this for the Hop-by-Hop Options header.
Fix that specific case and also the Destination Options and Fragment
header processing as those use the same logic.
print-ip6.c diff | blob | history
tests/TESTLIST diff | blob | history
tests/ipv6hdr-heapoverflow-v.out [new file with mode: 0644] blob
tests/ipv6hdr-heapoverflow.out [new file with mode: 0644] blob
tests/ipv6hdr-heapoverflow.pcap [new file with mode: 0644] blob
[mirror] the TCPdump network dissector