CVE-2017-12997/LLDP: Don't use an 8-bit loop counter.

If you have a

	for (i = 0; i < N; i++)

loop, you'd better make sure that i is big enough to hold N - not N-1,
N.

The TLV length here is 9 bits long, not 8 bits long, so an 8-bit loop
counter will overflow and you can loop infinitely.

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add tests using the capture files supplied by the reporter(s).

Clean up the output a bit while we're at it.

diff --git a/print-lldp.c b/print-lldp.c
index fbafd6d5a14af87811fa0006a34a5597749c2edd..dfdf1b94aa541c23d3e6d7a49d3afd89f6c347e0 100644 (file)
--- a/print-lldp.c
+++ b/print-lldp.c
@@ -651,7 +651,7 @@ lldp_private_8021_print(netdissect_options *ndo,
     int subtype, hexdump = FALSE;
     u_int sublen;
     u_int tval;
-    uint8_t i;
+    u_int i;
 
     if (tlv_len < 4) {
         return hexdump;
@@ -787,9 +787,9 @@ lldp_private_8021_print(netdissect_options *ndo,
         ND_PRINT((ndo, "\n\t    Application Priority Table"));
         while(i<sublen) {
                tval=*(tptr+i+5);
-               ND_PRINT((ndo, "\n\t      Priority: %d, RES: %d, Sel: %d",
-                        tval >> 5, (tval >> 3) & 0x03, (tval & 0x07)));
-               ND_PRINT((ndo, "Protocol ID: %d", EXTRACT_16BITS(tptr + i + 5)));
+               ND_PRINT((ndo, "\n\t      Priority: %u, RES: %u, Sel: %u, Protocol ID: %u",
+                        tval >> 5, (tval >> 3) & 0x03, (tval & 0x07),
+                        EXTRACT_16BITS(tptr + i + 5)));
                i=i+3;
         }
         break;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 26e8bd03f4ed3380ec001e584e2c48984b263186..5830e9aba3d76d85d21b0c8cc42d0396053cd558 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -476,6 +476,8 @@ dns_fwdptr          dns_fwdptr.pcap                 dns_fwdptr.out          -vvv -e
 isis-areaaddr-oobr-1   isis-areaaddr-oobr-1.pcap       isis-areaaddr-oobr-1.out                -vvv -e
 isis-areaaddr-oobr-2   isis-areaaddr-oobr-2.pcap       isis-areaaddr-oobr-2.out                -vvv -e
 isis-extd-ipreach-oobr isis-extd-ipreach-oobr.pcap     isis-extd-ipreach-oobr.out              -vvv -e
+lldp-infinite-loop-1   lldp-infinite-loop-1.pcap       lldp-infinite-loop-1.out                -vvv -e
+lldp-infinite-loop-2   lldp-infinite-loop-2.pcap       lldp-infinite-loop-2.out                -vvv -e
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/lldp-infinite-loop-1.out b/tests/lldp-infinite-loop-1.out
new file mode 100644 (file)
index 0000000..31ba710
--- /dev/null
+++ b/tests/lldp-infinite-loop-1.out
@@ -0,0 +1,134 @@
+08:00:27:42:ba:59 > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 1755: LLDP, length 1741
+       Chassis ID TLV (1), length 7
+         Subtype MAC address (4): 08:00:27:42:ba:59
+         0x0000:  0408 0027 42ba 59
+       Port ID TLV (2), length 7
+         Subtype MAC address (3): 08:00:27:42:ba:59
+         0x0000:  0308 0027 42ba 59
+       Time to Live TLV (3), length 2: TTL 120s
+         0x0000:  0078
+       Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
+         Port VLAN Id Subtype (1)
+           port vlan id (PVID): 0
+         0x0000:  0080 c201 0000
+       Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
+         Port and Protocol VLAN ID Subtype (2)
+           port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
+         0x0000:  0080 c202 0200 00
+       Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
+         VLAN name Subtype (3)
+           vlan id (VID): 1
+           vlan name: default
+         0x0000:  0080 c203 0001 0764 6566 6175 6c74
+       Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
+         Protocol Identity Subtype (4)
+           protocol identity: 
+         0x0000:  0080 c204 0800 0042 4203 0080 08
+       Organization specific TLV (127), length 263: OUI Ethernet bridged (0x0080c2)
+         Application Priority Subtype (12)
+           RES: 0
+           Application Priority Table
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 6, RES: 0, Sel: 2, Protocol ID: 49676
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 128
+             Priority: 0, RES: 1, Sel: 4, Protocol ID: 3072
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 4, RES: 0, Sel: 0, Protocol ID: 32962
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+             Priority: 0, RES: 0, Sel: 0, Protocol ID: 0
+         0x0000:  0080 c20c 0000 0000 0000 0000 80c2 0c00
+         0x0010:  0000 0000 0000 0080 c20c 0000 0000 0000
+         0x0020:  0000 80c2 0c00 0000 0000 0000 0080 c20c
+         0x0030:  0000 0000 0000 0000 80c2 0c00 0000 0000
+         0x0040:  0000 0080 c20c 0000 0000 0000 0000 80c2
+         0x0050:  0c00 0000 0000 0000 0080 c20c 0000 0000
+         0x0060:  0000 0000 80c2 0c00 0000 0000 0000 0080
+         0x0070:  c20c 0000 0000 0000 0000 80c2 0c00 0000
+         0x0080:  0000 0000 0080 c20c 0000 0000 0000 0000
+         0x0090:  80c2 0c00 0000 0000 0000 0080 c20c 0000
+         0x00a0:  0000 0000 0000 80c2 0c00 0000 0000 0000
+         0x00b0:  0080 c20c 0000 0000 0000 0000 80c2 0c00
+         0x00c0:  0000 0000 0000 0080 c20c 0000 0000 0000
+         0x00d0:  0000 80c2 0c00 0000 0000 0000 0080 c20c
+         0x00e0:  0000 0000 0000 0000 80c2 0c00 0000 0000
+         0x00f0:  0000 0080 c20c 0000 0000 0000 0000 80c2
+         0x0100:  0c00 0000 0000 00
+       End TLV (0), length 0

diff --git a/tests/lldp-infinite-loop-1.pcap b/tests/lldp-infinite-loop-1.pcap
new file mode 100644 (file)
index 0000000..232dbbd
Binary files /dev/null and b/tests/lldp-infinite-loop-1.pcap differ

diff --git a/tests/lldp-infinite-loop-2.out b/tests/lldp-infinite-loop-2.out
new file mode 100644 (file)
index 0000000..4016681
--- /dev/null
+++ b/tests/lldp-infinite-loop-2.out
@@ -0,0 +1,161 @@
+08:00:27:0d:f1:3c > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 2130: LLDP, length 2116
+       Chassis ID TLV (1), length 7
+         Subtype MAC address (4): 08:00:27:0d:f1:3c
+         0x0000:  0408 0027 0df1 3c
+       Port ID TLV (2), length 7
+         Subtype MAC address (3): 08:00:27:0d:f1:3c
+         0x0000:  0308 0027 0df1 3c
+       Time to Live TLV (3), length 2: TTL 120s
+         0x0000:  0078
+       Organization specific TLV (127), length 6: OUI Ethernet bridged (0x0080c2)
+         Port VLAN Id Subtype (1)
+           port vlan id (PVID): 1
+         0x0000:  0080 c201 0001
+       Organization specific TLV (127), length 7: OUI Ethernet bridged (0x0080c2)
+         Port and Protocol VLAN ID Subtype (2)
+           port and protocol vlan id (PPVID): 0, flags [supported] (0x02)
+         0x0000:  0080 c202 0200 00
+       Organization specific TLV (127), length 14: OUI Ethernet bridged (0x0080c2)
+         VLAN name Subtype (3)
+           vlan id (VID): 1
+           vlan name: default
+         0x0000:  0080 c203 0001 0764 6566 6175 6c74
+       Organization specific TLV (127), length 13: OUI Ethernet bridged (0x0080c2)
+         Protocol Identity Subtype (4)
+           protocol identity: 
+         0x0000:  0080 c204 0800 0042 4203 0000 03
+       Organization specific TLV (127), length 9: OUI Ethernet bridged (0x0080c2)
+         EVB Subtype (13)
+           EVB Bridge Status
+             RES: 0, BGID: 0, RRCAP: 1, RRCTR: 0
+           EVB Station Status
+             RES: 0, SGID: 0, RRREQ: 0,RRSTAT: 0
+           R: 7, RTE: 21, EVB Mode: EVB Bridge [1]
+           ROL: 0, RWD: 30, RES: 0, ROL: 0, RKA: 15
+         0x0000:  0080 c20d 0200 f55e 0f
+       Organization specific TLV (127), length 266: OUI Ethernet bridged (0x0080c2)
+         CDCP Subtype (14)
+           Role: 0, RES: 0, Scomp: 0 ChnCap: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+           SCID: 3104, SVID: 3584
+           SCID: 0, SVID: 167
+           SCID: 1, SVID: 1
+           SCID: 0, SVID: 194
+           SCID: 224, SVID: 0
+           SCID: 10, SVID: 1792
+           SCID: 256, SVID: 256
+           SCID: 12, SVID: 526
+           SCID: 0, SVID: 0
+           SCID: 2672, SVID: 16
+           SCID: 16, SVID: 0
+         0x0000:  0080 c20e 0000 00a7 0010 0100 00c2 0e00
+         0x0010:  0000 a700 1001 0000 c20e 0000 00a7 0010
+         0x0020:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+         0x0030:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+         0x0040:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+         0x0050:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+         0x0060:  0010 0100 00c2 0e00 0000 a700 1001 0000
+         0x0070:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+         0x0080:  a700 1001 0000 c20e 0000 00a7 0010 0100
+         0x0090:  00c2 0e00 0000 a700 1001 0000 c20e 0000
+         0x00a0:  00a7 0010 0100 00c2 0e00 0000 a700 1001
+         0x00b0:  0000 c20e 0000 00a7 0010 0100 00c2 0e00
+         0x00c0:  0000 a700 1001 0000 c20e 0000 00a7 0010
+         0x00d0:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+         0x00e0:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+         0x00f0:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+         0x0100:  0e00 0000 a700 1001 0000
+       Unknown TLV (97), length 14
+         0x0000:  0000 00a7 0010 0100 00c2 0e00 0000
+       Unknown TLV (83), length 256
+         0x0000:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+         0x0010:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+         0x0020:  0010 0100 00c2 0e00 0000 a700 1001 0000
+         0x0030:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+         0x0040:  a700 1001 0000 c20e 0000 00a7 0010 0100
+         0x0050:  00c2 0e00 0000 a700 1001 0000 c20e 0000
+         0x0060:  00a7 0010 0100 00c2 0e00 0000 a700 1001
+         0x0070:  0000 c20e 0000 00a7 0010 0100 00c2 0e00
+         0x0080:  0000 a700 1001 0000 c20e 0000 00a7 0010
+         0x0090:  0100 00c2 0e00 0000 a700 1001 0000 c20e
+         0x00a0:  0000 00a7 0010 0100 00c2 0e00 0000 a700
+         0x00b0:  1001 0000 c20e 0000 00a7 0010 0100 00c2
+         0x00c0:  0e00 0000 a700 1001 0000 c20e 0000 00a7
+         0x00d0:  0010 0100 00c2 0e00 0000 a700 1001 0000
+         0x00e0:  c20e 0000 00a7 0010 0100 00c2 0e00 0000
+         0x00f0:  a700 1001 0000 c20e 0000 00a7 0010 0100
+       End TLV (0), length 194

diff --git a/tests/lldp-infinite-loop-2.pcap b/tests/lldp-infinite-loop-2.pcap
new file mode 100644 (file)
index 0000000..e859983
Binary files /dev/null and b/tests/lldp-infinite-loop-2.pcap differ