]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 83a412a)
(for 4.9.3) CVE-2018-16227/IEEE 802.11: add a missing bounds check
authorDenis Ovsienko <[email protected]>
Tue, 28 Aug 2018 23:38:40 +0000 (00:38 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Tue, 27 Aug 2019 09:20:42 +0000 (11:20 +0200)
ieee802_11_print() tried to access the Mesh Flags subfield of the Mesh
Control field to find the size of the latter and increment the expected
802.11 header length before checking it is fully present in the input
buffer. Add an intermediate bounds check to make it safe.

This fixes a buffer over-read discovered by Ryan Ackroyd.

Add a test using the capture file supplied by the reporter(s).

print-802_11.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ieee802.11_meshhdr-oobr.out [new file with mode: 0644] patch | blob
tests/ieee802.11_meshhdr-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-802_11.c b/print-802_11.c
index 7c65941ae02992ba229322588076d03d516e2533..50a3e9f596c2a3faea69f144f9ebac278460d628 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -2058,6 +2058,10 @@ ieee802_11_print(netdissect_options *ndo,
                hdrlen = roundup2(hdrlen, 4);
        if (ndo->ndo_Hflag && FC_TYPE(fc) == T_DATA &&
            DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
+               if (caplen < hdrlen + 1) {
+                       ND_PRINT((ndo, "%s", tstr));
+                       return hdrlen;
+               }
                meshdrlen = extract_mesh_header_length(p+hdrlen);
                hdrlen += meshdrlen;
        } else
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 9c0ac4b7ead715bb0c4e6e6f50c501226793cbd6..0645739cb90bddec9450bb67f7325c7fcfcbe2e0 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -602,6 +602,9 @@ ospf6_print_lshdr-oobr      ospf6_print_lshdr-oobr.pcapng   ospf6_print_lshdr-oobr.out
 rpl-dao-oobr           rpl-dao-oobr.pcapng             rpl-dao-oobr.out                -vv -c1
 hncp_prefix-oobr       hncp_prefix-oobr.pcapng         hncp_prefix-oobr.out            -vvv
 
+# bad packets from Ryan Ackroyd
+ieee802.11_meshhdr-oobr        ieee802.11_meshhdr-oobr.pcap    ieee802.11_meshhdr-oobr.out     -H -c1
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp
diff --git a/tests/ieee802.11_meshhdr-oobr.out b/tests/ieee802.11_meshhdr-oobr.out
new file mode 100644 (file)
index 0000000..6b3ab3f
--- /dev/null
+++ b/tests/ieee802.11_meshhdr-oobr.out
@@ -0,0 +1 @@
+3472328296059908144us tsft 24.0 Mb/s 12334 MHz Turbo 48dBm noise [|802.11][|802.11]
diff --git a/tests/ieee802.11_meshhdr-oobr.pcap b/tests/ieee802.11_meshhdr-oobr.pcap
new file mode 100644 (file)
index 0000000..48445d7
Binary files /dev/null and b/tests/ieee802.11_meshhdr-oobr.pcap differ
[mirror] the TCPdump network dissector