]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c6e0531)
CVE-2017-12893/SMB/CIFS: Add a bounds check in name_len().
authorGuy Harris <[email protected]>
Sat, 4 Feb 2017 00:56:57 +0000 (16:56 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
After we advance the pointer by the length value in the buffer, make
sure it points to something in the captured data.

This fixes a buffer over-read discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).

smbutil.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/nbns-valgrind.out [new file with mode: 0644] patch | blob
tests/nbns-valgrind.pcap [new file with mode: 0644] patch | blob

diff --git a/smbutil.c b/smbutil.c
index b38d73afbce32a7cf0086a5c3928d02168af9146..fc9b3cc6f227a659fd71f3c5e4c1c766a132e9a3 100644 (file)
--- a/smbutil.c
+++ b/smbutil.c
@@ -237,6 +237,7 @@ name_len(netdissect_options *ndo,
            return(-1); /* name goes past the end of the buffer */
        ND_TCHECK2(*s, 1);
        s += (*s) + 1;
+       ND_TCHECK2(*s, 1);
     }
     return(PTR_DIFF(s, s0) + 1);
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5e3ea8d51a7194056b3cc238c846976982a11ae4..514076410dba3b8cfe8f891a6dca0b0becc4d36b 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -449,6 +449,9 @@ decnet-oobr         decnet-oobr.pcap                decnet-oobr.out
 # bad packets from Wilfried Kirsch
 slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve
 
+# bad packets from Otto Airamo and Antti Levomäki
+nbns-valgrind          nbns-valgrind.pcap              nbns-valgrind.out       -vvv -e
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp
diff --git a/tests/nbns-valgrind.out b/tests/nbns-valgrind.out
new file mode 100644 (file)
index 0000000..bb9cc49
--- /dev/null
+++ b/tests/nbns-valgrind.out
@@ -0,0 +1,16 @@
+00:0c:85:0e:a5:ff > 00:00:0c:07:ac:f0, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 127, id 38615, offset 0, flags [none], proto UDP (17), length 78)
+    10.49.248.228.137 > 10.48.161.241.137: 
+>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
+TrnID=0x8D40
+OpCode=0
+NmFlags=0x10
+Rcode=0
+QueryCount=1
+AnswerCount=0
+AuthorityCount=0
+AddressRecCount=0
+QuestionRecords:
+Name=
+WARNING: Short packet. Try increasing the snap length
+
+
diff --git a/tests/nbns-valgrind.pcap b/tests/nbns-valgrind.pcap
new file mode 100644 (file)
index 0000000..57657f0
Binary files /dev/null and b/tests/nbns-valgrind.pcap differ
[mirror] the TCPdump network dissector