]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 64f6392)
CVE-2016-7929/Make sure a Juniper header TLV isn't bigger than what's left in the...
authorGuy Harris <[email protected]>
Mon, 13 Jul 2015 23:52:51 +0000 (16:52 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:37 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-juniper.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/juniper_header-heapoverflow.out [new file with mode: 0644] patch | blob
tests/juniper_header-heapoverflow.pcap [new file with mode: 0644] patch | blob

diff --git a/print-juniper.c b/print-juniper.c
index 4fb5453c991a13d45ca6922f8122217ce7f93ec4..83ac372f4078a858cc3217b1ded3759f614aa3bf 100644 (file)
--- a/print-juniper.c
+++ b/print-juniper.c
@@ -92,7 +92,7 @@ enum {
 };
 
 /* 1 byte type and 1-byte length */
-#define JUNIPER_EXT_TLV_OVERHEAD 2
+#define JUNIPER_EXT_TLV_OVERHEAD 2U
 
 static const struct tok jnx_ext_tlv_values[] = {
     { JUNIPER_EXT_TLV_IFD_IDX, "Device Interface Index" },
@@ -1203,9 +1203,11 @@ juniper_parse_header(netdissect_options *ndo,
             tlv_len = *(tptr++);
             tlv_value = 0;
 
-            /* sanity check */
+            /* sanity checks */
             if (tlv_type == 0 || tlv_len == 0)
                 break;
+            if (tlv_len+JUNIPER_EXT_TLV_OVERHEAD > jnx_ext_len)
+                goto trunc;
 
             if (ndo->ndo_vflag > 1)
                 ND_PRINT((ndo, "\n\t  %s Extension TLV #%u, length %u, value ",
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 7e37accce58ed23b9c40d95d10566e448b83f650..eda358a69fb8043da253fd095c95a5d23808e6e8 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -399,3 +399,4 @@ stp-heapoverflow-3  stp-heapoverflow-3.pcap stp-heapoverflow-3.out  -t -v -n
 stp-heapoverflow-4     stp-heapoverflow-4.pcap stp-heapoverflow-4.out  -t -v -n
 stp-heapoverflow-5     stp-heapoverflow-5.pcap stp-heapoverflow-5.out  -t -v -n
 arp-too-long-tha       arp-too-long-tha.pcap   arp-too-long-tha.out    -t -v -n
+juniper_header-heapoverflow    juniper_header-heapoverflow.pcap        juniper_header-heapoverflow.out -t -v -n
diff --git a/tests/juniper_header-heapoverflow.out b/tests/juniper_header-heapoverflow.out
new file mode 100644 (file)
index 0000000..b13cfbe
--- /dev/null
+++ b/tests/juniper_header-heapoverflow.out
@@ -0,0 +1 @@
+[|juniper_hdr], length 808464432
diff --git a/tests/juniper_header-heapoverflow.pcap b/tests/juniper_header-heapoverflow.pcap
new file mode 100644 (file)
index 0000000..89cc331
Binary files /dev/null and b/tests/juniper_header-heapoverflow.pcap differ
[mirror] the TCPdump network dissector