(for 4.9.3) CVE-2018-14463/VRRP: Add a missing bounds check

In vrrp_print().

This fixes a buffer over-read discovered by Bhargava Shastry.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-vrrp.c b/print-vrrp.c
index d8ba4265050462f4e81333a5f5abb3df9a965c38..d6114e57b14a83d0ef30bc107adf6a54629c698c 100644 (file)
--- a/print-vrrp.c
+++ b/print-vrrp.c
@@ -142,9 +142,11 @@ vrrp_print(netdissect_options *ndo,
 
                        vec[0].ptr = bp;
                        vec[0].len = len;
-                       if (in_cksum(vec, 1))
+                       if (in_cksum(vec, 1)) {
+                               ND_TCHECK_16BITS(&bp[6]);
                                ND_PRINT((ndo, ", (bad vrrp cksum %x)",
                                        EXTRACT_16BITS(&bp[6])));
+                       }
                }
 
                if (version == 3 && ND_TTEST2(bp[0], len)) {

diff --git a/tests/TESTLIST b/tests/TESTLIST
index db1f87d84aa9985d99a8519d668e38f28f61894f..8cc638ddb17cfb5cb967f3f55feebb71aa939b76 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -556,6 +556,7 @@ ldp-ldp_tlv_print-oobr ldp-ldp_tlv_print-oobr.pcap ldp-ldp_tlv_print-oobr.out -v
 icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v -c3
 icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
 rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
+vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr   hncp_dhcpv6data-oobr.pcap       hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr   hncp_dhcpv4data-oobr.pcap       hncp_dhcpv4data-oobr.out -v -c1

diff --git a/tests/vrrp-vrrp_print-oobr.out b/tests/vrrp-vrrp_print-oobr.out
new file mode 100644 (file)
index 0000000..fd87db8
--- /dev/null
+++ b/tests/vrrp-vrrp_print-oobr.out
@@ -0,0 +1,6 @@
+IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 34, options (unknown 69 [bad length 83]), bad cksum 8e15 (->bc96)!)
+    250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 6[|vrrp]
+IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 40, options (unknown 69 [bad length 83]), bad cksum 8e15 (->b790)!)
+    250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 12, addrs:[|vrrp]
+IP (tos 0x7f,CE, ttl 254, id 40208, offset 0, flags [none], proto VRRP (112), length 40, options (unknown 69 [bad length 83]), bad cksum 8e15 (->bc90)!)
+    250.219.91.20 > 209.150.251.64: vrrp 250.219.91.20 > 209.150.251.64: VRRPv2, Advertisement, (ttl 254), vrid 2, prio 0, authtype simple, intvl 255s, length 12, addrs:[|vrrp]

diff --git a/tests/vrrp-vrrp_print-oobr.pcap b/tests/vrrp-vrrp_print-oobr.pcap
new file mode 100644 (file)
index 0000000..a74bc50
Binary files /dev/null and b/tests/vrrp-vrrp_print-oobr.pcap differ