(for 4.9.3) Babel: Add a missing length check.

In babel_print_v2() check that the Babel packet body length does not
exceed the outer UDP packet payload. This helps to detect some invalid
packets earlier but does not fix a known vulnerability.

diff --git a/print-babel.c b/print-babel.c
index 1a31f2a3cfa3fe17ca087b6f6d1d20f9efe3f883..0bb2483adedbfcf4aa51656039ea290c9647b414 100644 (file)
--- a/print-babel.c
+++ b/print-babel.c
@@ -352,6 +352,8 @@ babel_print_v2(netdissect_options *ndo,
         goto invalid;
     bodylen = EXTRACT_16BITS(cp + 2);
     ND_PRINT((ndo, " (%u)", bodylen));
+    if (4U + bodylen > length)
+        goto invalid;
 
     /* Process the TLVs in the body */
     i = 0;

diff --git a/tests/babel_update_oobr.out b/tests/babel_update_oobr.out
index 1d60fee09a81a6b1d2fd26f927d4b861d1bbb3e2..03fb9dd6f1e632d23fc102731ac368883ca4c733 100644 (file)
--- a/tests/babel_update_oobr.out
+++ b/tests/babel_update_oobr.out
@@ -63,4 +63,4 @@ IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: .M-oM-^?M-^?@M-^?M-^@M
 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O.^DM-2M-!^BM-W^CM-!^B@^D 0min ^P.^VM-^H [|kerberos]
 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O^O7M-^@M-^?M-^@^D^O^O^O^O^O^P.M-^?M-^?^O^O^O@^VM-^H [|kerberos]
 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O.^DM-^@M-^?M-^?M-^?^CM-!^B@^D 0min ^P.^VM-^H [|kerberos]
-IP 208.21.42.58.6697 > 110.228.104.254.30952: babel 2 (2056) update/truncated update/truncated update/truncated [|babel]
+IP 208.21.42.58.6697 > 110.228.104.254.30952: babel 2 (2056) (invalid)