]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b56aab3)
CVE-2016-7931/Add bounds and length checks.
authorGuy Harris <[email protected]>
Sat, 4 Jul 2015 01:07:35 +0000 (18:07 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:36 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-mpls.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/mpls-label-heapoverflow.out [new file with mode: 0644] patch | blob
tests/mpls-label-heapoverflow.pcap [new file with mode: 0644] patch | blob

diff --git a/print-mpls.c b/print-mpls.c
index 6d0539e61bda85b7c51f32b3366b8c11daedee32..f6ee434e96d5a8cca81e6a92363a9e6333075e5a 100644 (file)
--- a/print-mpls.c
+++ b/print-mpls.c
@@ -68,6 +68,10 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
        ND_PRINT((ndo, "MPLS"));
        do {
                ND_TCHECK2(*p, sizeof(label_entry));
+               if (length < sizeof(label_entry)) {
+                       ND_PRINT((ndo, "[|MPLS], length %u", length));
+                       return;
+               }
                label_entry = EXTRACT_32BITS(p);
                ND_PRINT((ndo, "%s(label %u",
                       (label_stack_depth && ndo->ndo_vflag) ? "\n\t" : " ",
@@ -82,6 +86,7 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
                ND_PRINT((ndo, ", ttl %u)", MPLS_TTL(label_entry)));
 
                p += sizeof(label_entry);
+               length -= sizeof(label_entry);
        } while (!MPLS_STACK(label_entry));
 
        /*
@@ -124,6 +129,11 @@ mpls_print(netdissect_options *ndo, const u_char *bp, u_int length)
                 * Cisco sends control-plane traffic MPLS-encapsulated in
                 * this fashion.
                 */
+               ND_TCHECK(*p);
+               if (length < 1) {
+                       /* nothing to print */
+                       return;
+               }
                switch(*p) {
 
                case 0x45:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index e601f59aae8b7d181450cfc3875d34f7abe5a8ff..d9751c90deb5afe2c799c0a6c5c4eeb017179136 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -391,3 +391,4 @@ llc-xid-heapoverflow        llc-xid-heapoverflow.pcap       llc-xid-heapoverflow.out        -t -v -n
 udp-length-heapoverflow        udp-length-heapoverflow.pcap    udp-length-heapoverflow.out     -t -v -n
 aarp-heapoverflow-1    aarp-heapoverflow-1.pcap        aarp-heapoverflow-1.out -t -v -n
 aarp-heapoverflow-2    aarp-heapoverflow-2.pcap        aarp-heapoverflow-2.out -t -v -n
+mpls-label-heapoverflow        mpls-label-heapoverflow.pcap    mpls-label-heapoverflow.out     -t -v -n
diff --git a/tests/mpls-label-heapoverflow.out b/tests/mpls-label-heapoverflow.out
new file mode 100644 (file)
index 0000000..1419cac
--- /dev/null
+++ b/tests/mpls-label-heapoverflow.out
@@ -0,0 +1,2 @@
+MPLS (label 197379, exp 0, ttl 48)
+       (label 197387, exp 5, [S], ttl 48)[|MPLS]
diff --git a/tests/mpls-label-heapoverflow.pcap b/tests/mpls-label-heapoverflow.pcap
new file mode 100644 (file)
index 0000000..bafba4f
Binary files /dev/null and b/tests/mpls-label-heapoverflow.pcap differ
[mirror] the TCPdump network dissector