]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 11b426e)
CVE-2017-13018/PGM: Add a missing bounds check.
authorGuy Harris <[email protected]>
Wed, 22 Mar 2017 02:49:28 +0000 (19:49 -0700)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-pgm.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/pgm_opts_asan.out [new file with mode: 0644] patch | blob
tests/pgm_opts_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-pgm.c b/print-pgm.c
index 6d5c01ce11a8306bd57dee57983b16521d843931..9bd6eac53578760d06a7fd4246fc00532dbe22ab 100644 (file)
--- a/print-pgm.c
+++ b/print-pgm.c
@@ -457,6 +457,10 @@ pgm_print(netdissect_options *ndo,
                    ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
                    return;
                }
+               if (!ND_TTEST2(*bp, 2)) {
+                   ND_PRINT((ndo, " [|OPT]"));
+                   return;
+               }
                opt_type = *bp++;
                opt_len = *bp++;
                if (opt_len < PGM_MIN_OPT_LEN) {
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 3f5726601b8fed1970d1079c1d0aa6c298cd3ffa..68617bf44aaf4bec7ffad38d9c75fd46b0c28379 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -519,6 +519,7 @@ esis_snpa_asan-3    esis_snpa_asan-3.pcap           esis_snpa_asan-3.out    -v
 esis_snpa_asan-4       esis_snpa_asan-4.pcap           esis_snpa_asan-4.out    -v
 esis_snpa_asan-5       esis_snpa_asan-5.pcap           esis_snpa_asan-5.out    -v
 dhcp6_reconf_asan      dhcp6_reconf_asan.pcap          dhcp6_reconf_asan.out   -v
+pgm_opts_asan          pgm_opts_asan.pcap              pgm_opts_asan.out       -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/pgm_opts_asan.out b/tests/pgm_opts_asan.out
new file mode 100644 (file)
index 0000000..cc0607a
--- /dev/null
+++ b/tests/pgm_opts_asan.out
@@ -0,0 +1,2 @@
+IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!)
+    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13]  OPT_06 [26]  PATH_NLA [4] [|OPT]
diff --git a/tests/pgm_opts_asan.pcap b/tests/pgm_opts_asan.pcap
new file mode 100644 (file)
index 0000000..f65d06a
Binary files /dev/null and b/tests/pgm_opts_asan.pcap differ
[mirror] the TCPdump network dissector