]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a77ff09)
CVE-2017-13028/BOOTP: Add a bounds check before fetching data
authorFrancois-Xavier Le Bail <[email protected]>
Wed, 22 Mar 2017 18:37:04 +0000 (19:37 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'

print-bootp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/bootp_asan.out [new file with mode: 0644] patch | blob
tests/bootp_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-bootp.c b/print-bootp.c
index ce2ecac4f4228c8d59bc1fb320d0a4011944bf51..51e53844c1ff66a1f36e62f08bd58a4b6ee7f25d 100644 (file)
--- a/print-bootp.c
+++ b/print-bootp.c
@@ -322,6 +322,7 @@ bootp_print(netdissect_options *ndo,
        if (EXTRACT_16BITS(&bp->bp_secs))
                ND_PRINT((ndo, ", secs %d", EXTRACT_16BITS(&bp->bp_secs)));
 
+       ND_TCHECK(bp->bp_flags);
        ND_PRINT((ndo, ", Flags [%s]",
                  bittok2str(bootp_flag_values, "none", EXTRACT_16BITS(&bp->bp_flags))));
        if (ndo->ndo_vflag > 1)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 9ac274704caa4cb062b7ba0af75439be6a90d4ed..8b90e1f5d543da44c81a9193b5adda6e05cb6175 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -533,6 +533,7 @@ isis_stlv_asan-2    isis_stlv_asan-2.pcap           isis_stlv_asan-2.out    -v
 isis_stlv_asan-3       isis_stlv_asan-3.pcap           isis_stlv_asan-3.out    -v
 isis_stlv_asan-4       isis_stlv_asan-4.pcap           isis_stlv_asan-4.out    -v
 lldp_mgmt_addr_tlv_asan        lldp_mgmt_addr_tlv_asan.pcap    lldp_mgmt_addr_tlv_asan.out     -v
+bootp_asan             bootp_asan.pcap                 bootp_asan.out          -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/bootp_asan.out b/tests/bootp_asan.out
new file mode 100644 (file)
index 0000000..d3ae8d9
--- /dev/null
+++ b/tests/bootp_asan.out
@@ -0,0 +1,2 @@
+IP (tos 0x0, ttl 252, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 60951, bad cksum ff (->8336)!)
+    18.0.0.15.16896 > 107.95.83.32.68: BOOTP/DHCP, unknown (0x00), length 59384, htype 0, hlen 0, hops 13, xid 0x14000000, secs 3328 [|bootp]
diff --git a/tests/bootp_asan.pcap b/tests/bootp_asan.pcap
new file mode 100644 (file)
index 0000000..7c8a6ae
Binary files /dev/null and b/tests/bootp_asan.pcap differ
[mirror] the TCPdump network dissector