CVE-2017-11543/Make sure the SLIP direction octet is valid.

Report if it's not, and don't use it as an out-of-bounds index into an
array.

This fixes a buffer overflow discovered by Wilfried Kirsch.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

diff --git a/print-sl.c b/print-sl.c
index 3fd7e898dee5c0eae63790f66ff8efd5a9a32f95..a02077b3773dd2aba38cb40cb189bf83ed8db603 100644 (file)
--- a/print-sl.c
+++ b/print-sl.c
@@ -131,8 +131,21 @@ sliplink_print(netdissect_options *ndo,
        u_int hlen;
 
        dir = p[SLX_DIR];
-       ND_PRINT((ndo, dir == SLIPDIR_IN ? "I " : "O "));
+       switch (dir) {
 
+       case SLIPDIR_IN:
+               ND_PRINT((ndo, "I "));
+               break;
+
+       case SLIPDIR_OUT:
+               ND_PRINT((ndo, "O "));
+               break;
+
+       default:
+               ND_PRINT((ndo, "Invalid direction %d ", dir));
+               dir = -1;
+               break;
+       }
        if (ndo->ndo_nflag) {
                /* XXX just dump the header */
                register int i;
@@ -155,13 +168,21 @@ sliplink_print(netdissect_options *ndo,
                 * has restored the IP header copy to IPPROTO_TCP.
                 */
                lastconn = ((const struct ip *)&p[SLX_CHDR])->ip_p;
+               ND_PRINT((ndo, "utcp %d: ", lastconn));
+               if (dir == -1) {
+                       /* Direction is bogus, don't use it */
+                       return;
+               }
                hlen = IP_HL(ip);
                hlen += TH_OFF((const struct tcphdr *)&((const int *)ip)[hlen]);
                lastlen[dir][lastconn] = length - (hlen << 2);
-               ND_PRINT((ndo, "utcp %d: ", lastconn));
                break;
 
        default:
+               if (dir == -1) {
+                       /* Direction is bogus, don't use it */
+                       return;
+               }
                if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
                        compressed_sl_print(ndo, &p[SLX_CHDR], ip,
                            length, dir);

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 1c33f0f58914bd6ee370d55c05cac0967ed0e257..fe95b03d816ae216690c9d7b9d8b3ec4d9ab30bc 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -439,6 +439,9 @@ stp-v4-length-sigsegv       stp-v4-length-sigsegv.pcap      stp-v4-length-sigsegv.out
 hoobr_pimv1            hoobr_pimv1.pcap                hoobr_pimv1.out
 hoobr_safeputs         hoobr_safeputs.pcap             hoobr_safeputs.out
 
+# bad packets from Wilfried Kirsch
+slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/slip-bad-direction.out b/tests/slip-bad-direction.out
new file mode 100644 (file)
index 0000000..47454c3
--- /dev/null
+++ b/tests/slip-bad-direction.out
@@ -0,0 +1 @@
+Invalid direction 231 e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7.e7: ip v14

diff --git a/tests/slip-bad-direction.pcap b/tests/slip-bad-direction.pcap
new file mode 100644 (file)
index 0000000..a25dbda
Binary files /dev/null and b/tests/slip-bad-direction.pcap differ