]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c4744fc)
CVE-2016-7974/Add an additional bounds check.
authorGuy Harris <[email protected]>
Fri, 3 Jul 2015 19:26:18 +0000 (12:26 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-ip.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/heapoverflow-ip_print_demux.out [new file with mode: 0644] patch | blob
tests/heapoverflow-ip_print_demux.pcap [new file with mode: 0644] patch | blob

diff --git a/print-ip.c b/print-ip.c
index f96ba55973ea32b58905ce69784a1578e89ce23a..cbcdab853ac5e3d3e701eb55a10d65835b363fc4 100644 (file)
--- a/print-ip.c
+++ b/print-ip.c
@@ -330,6 +330,10 @@ again:
        switch (ipds->nh) {
 
        case IPPROTO_AH:
        switch (ipds->nh) {
 
        case IPPROTO_AH:
+               if (!ND_TTEST(*ipds->cp)) {
+                       ND_PRINT((ndo, "[|AH]"));
+                       break;
+               }
                ipds->nh = *ipds->cp;
                ipds->advance = ah_print(ndo, ipds->cp);
                if (ipds->advance <= 0)
                ipds->nh = *ipds->cp;
                ipds->advance = ah_print(ndo, ipds->cp);
                if (ipds->advance <= 0)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 241dc91bd778a82bc0917b2a7ce1d3ed85a13090..d4f4bac15dad3e0bcf60739c411e236f3573d7b6 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -374,3 +374,4 @@ heapoverflow-atalk_print    heapoverflow-atalk_print.pcap   heapoverflow-atalk_print.
 heapoverflow-EXTRACT_16BITS    heapoverflow-EXTRACT_16BITS.pcap        heapoverflow-EXTRACT_16BITS.out -t -v -n
 heapoverflow-ppp_hdlc_if_print heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-ppp_hdlc_if_print.out      -t -v -n
 heapoverflow-sl_if_print       heapoverflow-sl_if_print.pcap   heapoverflow-sl_if_print.out    -t -v -n
 heapoverflow-EXTRACT_16BITS    heapoverflow-EXTRACT_16BITS.pcap        heapoverflow-EXTRACT_16BITS.out -t -v -n
 heapoverflow-ppp_hdlc_if_print heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-ppp_hdlc_if_print.out      -t -v -n
 heapoverflow-sl_if_print       heapoverflow-sl_if_print.pcap   heapoverflow-sl_if_print.out    -t -v -n
+heapoverflow-ip_print_demux    heapoverflow-ip_print_demux.pcap        heapoverflow-ip_print_demux.out -t -v -n
diff --git a/tests/heapoverflow-ip_print_demux.out b/tests/heapoverflow-ip_print_demux.out
new file mode 100644 (file)
index 0000000..af4a46d
--- /dev/null
+++ b/tests/heapoverflow-ip_print_demux.out
@@ -0,0 +1,6 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0020:  3030                                     00
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto AH (51), length 12336, bad cksum 3030 (->697b)!)
+    48.48.48.48 > 48.48.48.48: AH(spi=0x30303030,sumlen=192,seq=0x30303030[truncated]): [|AH]
diff --git a/tests/heapoverflow-ip_print_demux.pcap b/tests/heapoverflow-ip_print_demux.pcap
new file mode 100644 (file)
index 0000000..c3ad2ad
Binary files /dev/null and b/tests/heapoverflow-ip_print_demux.pcap differ
[mirror] the TCPdump network dissector