]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2d02497)
CVE-2017-13041/ICMP6: Add more bounds checks.
authorGuy Harris <[email protected]>
Tue, 13 Jun 2017 05:16:12 +0000 (22:16 -0700)
committerDenis Ovsienko <[email protected]>
Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
This fixes a buffer over-read discovered by Kim Gwan Yeong.

Add a test using the capture file supplied by the reporter(s).

print-icmp6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/icmp6_nodeinfo_oobr.out [new file with mode: 0644] patch | blob
tests/icmp6_nodeinfo_oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-icmp6.c b/print-icmp6.c
index c481e446fa5d3cf79e6f727775b800cb8374ed65..42fe19f2988daf295e90e453c10728d60a696040 100644 (file)
--- a/print-icmp6.c
+++ b/print-icmp6.c
@@ -1699,6 +1699,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
 
                needcomma = 0;
 
+               ND_TCHECK2(*dp, sizeof(*ni6));
                ni6 = (const struct icmp6_nodeinfo *)dp;
                ND_PRINT((ndo," node information reply"));
                ND_PRINT((ndo," ("));   /*)*/
@@ -1753,6 +1754,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
                                ND_PRINT((ndo,", "));
                        ND_PRINT((ndo,"DNS name"));
                        cp = (const u_char *)(ni6 + 1) + 4;
+                       ND_TCHECK(cp[0]);
                        if (cp[0] == ep - cp - 1) {
                                /* icmp-name-lookup-03, pascal string */
                                if (ndo->ndo_vflag)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index f7b51c5e2be1840d9b061ebb334d3fb8e0674054..af2dcc09020bcc321fd658609f8ccfdb4380f590 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -557,6 +557,7 @@ mlppp-oobr          mlppp-oobr.pcap                 mlppp-oobr.out
 
 # bad packets from Kim Gwan Yeong
 mptcp-dss-oobr         mptcp-dss-oobr.pcap             mptcp-dss-oobr.out      -v
+icmp6_nodeinfo_oobr    icmp6_nodeinfo_oobr.pcap        icmp6_nodeinfo_oobr.out
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/icmp6_nodeinfo_oobr.out b/tests/icmp6_nodeinfo_oobr.out
new file mode 100644 (file)
index 0000000..0856ea2
--- /dev/null
+++ b/tests/icmp6_nodeinfo_oobr.out
@@ -0,0 +1 @@
+IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
diff --git a/tests/icmp6_nodeinfo_oobr.pcap b/tests/icmp6_nodeinfo_oobr.pcap
new file mode 100644 (file)
index 0000000..4c3ff04
Binary files /dev/null and b/tests/icmp6_nodeinfo_oobr.pcap differ
[mirror] the TCPdump network dissector