]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2d26a39)
test case for cve2015-0261 -- corrupted IPv6 mobility header
authorMichael Richardson <[email protected]>
Mon, 16 Feb 2015 02:22:11 +0000 (21:22 -0500)
committerGuy Harris <[email protected]>
Wed, 11 Mar 2015 06:15:50 +0000 (23:15 -0700)
Author:    Michael Richardson <[email protected]>

print-mobility.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/cve2015-0261-crash.out [new file with mode: 0644] patch | blob
tests/cve2015-0261-crash.pcap [new file with mode: 0644] patch | blob
tests/cve2015-0261-ipv6.out [new file with mode: 0644] patch | blob
tests/cve2015-0261-ipv6.pcap [new file with mode: 0644] patch | blob

diff --git a/print-mobility.c b/print-mobility.c
index 83447cff15d4190f904af197f564d013168622a8..b6fa61e9dc747463a10cd1c5a7f75f84f171320f 100644 (file)
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -69,6 +69,18 @@ struct ip6_mobility {
 #define IP6M_BINDING_UPDATE    5       /* Binding Update */
 #define IP6M_BINDING_ACK       6       /* Binding Acknowledgement */
 #define IP6M_BINDING_ERROR     7       /* Binding Error */
+#define IP6M_MAX               7
+
+static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
+       IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
+       IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
+       IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
+       IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
+       IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
+       IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
+       IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
+       IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
+};
 
 /* XXX: unused */
 #define IP6MOPT_BU_MINLEN      10
@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
        unsigned i, optlen;
 
        for (i = 0; i < len; i += optlen) {
+               ND_TCHECK(bp[i]);
                if (bp[i] == IP6MOPT_PAD1)
                        optlen = 1;
                else {
-                       if (i + 1 < len)
+                       if (i + 1 < len) {
+                               ND_TCHECK(bp[i + 1]);
                                optlen = bp[i + 1] + 2;
+                       }
                        else
                                goto trunc;
                }
                if (i + optlen > len)
                        goto trunc;
+               ND_TCHECK(bp[i + optlen]);
 
                switch (bp[i]) {
                case IP6MOPT_PAD1:
@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
 
        ND_TCHECK(mh->ip6m_type);
        type = mh->ip6m_type;
+       if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
+               ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
+               goto trunc;
+       }
        switch (type) {
        case IP6M_BINDING_REQUEST:
                ND_PRINT((ndo, "mobility: BRR"));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 472468c523a6df76036cc4ad03b57557d718c6ac..788d532d140c968d37d759f262b79e20002cb16b 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -267,3 +267,17 @@ geneve-tcp geneve.pcap             geneve-tcp.out  -t "geneve && tcp"
 # DHCP tests
 dhcp-rfc3004   dhcp-rfc3004.pcap       dhcp-rfc3004-v.out      -t -v
 dhcp-rfc5859   dhcp-rfc5859.pcap       dhcp-rfc5859-v.out      -t -v
+
+# bad packets from Kevin Day
+kday1           kday1.pcap              kday1.out       -t -v
+kday2           kday2.pcap              kday2.out       -t -v
+kday3           kday3.pcap              kday3.out       -t -v
+kday4           kday4.pcap              kday4.out       -t -v
+kday5           kday5.pcap              kday5.out       -t -v
+kday6           kday6.pcap              kday6.out       -t -v
+kday7           kday7.pcap              kday7.out       -t -v
+kday8           kday8.pcap              kday8.out       -t -v
+
+# bad packets from reversex86.
+cve2015-0261_01    cve2015-0261-ipv6.pcap       cve2015-0261-ipv6.out -t -v
+cve2015-0261_02    cve2015-0261-crash.pcap      cve2015-0261-crash.out -t -v
diff --git a/tests/cve2015-0261-crash.out b/tests/cve2015-0261-crash.out
new file mode 100644 (file)
index 0000000..1946280
--- /dev/null
+++ b/tests/cve2015-0261-crash.out
@@ -0,0 +1 @@
+IP6 (class 0x03, flowlabel 0x03030, hlim 48, next-header Options (0) payload length: 12336) 3030:3030:3030:3030:3030:3030:3030:3030 > 130:3030:3030:3030:3030:3030:3030:3030: HBH [trunc] (header length 8 is too small for type 1)[|MOBILITY]
diff --git a/tests/cve2015-0261-crash.pcap b/tests/cve2015-0261-crash.pcap
new file mode 100644 (file)
index 0000000..c876c1f
Binary files /dev/null and b/tests/cve2015-0261-crash.pcap differ
diff --git a/tests/cve2015-0261-ipv6.out b/tests/cve2015-0261-ipv6.out
new file mode 100644 (file)
index 0000000..5edcdda
--- /dev/null
+++ b/tests/cve2015-0261-ipv6.out
@@ -0,0 +1 @@
+EXIT CODE 00000100
diff --git a/tests/cve2015-0261-ipv6.pcap b/tests/cve2015-0261-ipv6.pcap
new file mode 100644 (file)
index 0000000..a8a32ba
Binary files /dev/null and b/tests/cve2015-0261-ipv6.pcap differ
[mirror] the TCPdump network dissector