]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c177cb3)
CVE-2017-13017/DHCPv6: Add a missing option length check.
authorGuy Harris <[email protected]>
Wed, 22 Mar 2017 02:40:51 +0000 (19:40 -0700)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-dhcp6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/dhcp6_reconf_asan.out [new file with mode: 0644] patch | blob
tests/dhcp6_reconf_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-dhcp6.c b/print-dhcp6.c
index 762d9187eb0b12cd79c8a46226460198c216fd9b..cbb6d84a0588b8204f1c930a089136925e46197f 100644 (file)
--- a/print-dhcp6.c
+++ b/print-dhcp6.c
@@ -518,6 +518,10 @@ dhcp6opt_print(netdissect_options *ndo,
                        ND_PRINT((ndo, "...)"));
                        break;
                case DH6OPT_RECONF_MSG:
+                       if (optlen != 1) {
+                               ND_PRINT((ndo, " ?)"));
+                               break;
+                       }
                        tp = (const u_char *)(dh6o + 1);
                        switch (*tp) {
                        case DH6_RENEW:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index a56c3c9500501bbf29867f72a9bea4e2ba77a705..3f5726601b8fed1970d1079c1d0aa6c298cd3ffa 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -518,6 +518,7 @@ esis_snpa_asan-2    esis_snpa_asan-2.pcap           esis_snpa_asan-2.out    -v
 esis_snpa_asan-3       esis_snpa_asan-3.pcap           esis_snpa_asan-3.out    -v
 esis_snpa_asan-4       esis_snpa_asan-4.pcap           esis_snpa_asan-4.out    -v
 esis_snpa_asan-5       esis_snpa_asan-5.pcap           esis_snpa_asan-5.out    -v
+dhcp6_reconf_asan      dhcp6_reconf_asan.pcap          dhcp6_reconf_asan.out   -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/dhcp6_reconf_asan.out b/tests/dhcp6_reconf_asan.out
new file mode 100644 (file)
index 0000000..3f39373
--- /dev/null
+++ b/tests/dhcp6_reconf_asan.out
@@ -0,0 +1,2 @@
+IP (tos 0x60, ttl 254, id 21519, offset 0, flags [+, DF, rsvd], proto UDP (17), length 768, options (EOL), bad cksum 9615 (->c6f)!)
+    251.73.86.150.514 > 126.172.217.192.546: dhcp6 relay-reply (linkaddr=300:10ed:ff:f01:f:0:7f:7f peeraddr=ffb6:3a64::c1:2300:581c:d00 (reconfigure-message ?) (reconfigure-message ?))
diff --git a/tests/dhcp6_reconf_asan.pcap b/tests/dhcp6_reconf_asan.pcap
new file mode 100644 (file)
index 0000000..3eb6fe0
Binary files /dev/null and b/tests/dhcp6_reconf_asan.pcap differ
[mirror] the TCPdump network dissector