]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 18fb255)
CVE-2017-13036/OSPFv3: Add a bounds check before fetching data
authorFrancois-Xavier Le Bail <[email protected]>
Thu, 23 Mar 2017 23:55:18 +0000 (00:55 +0100)
committerDenis Ovsienko <[email protected]>
Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-ospf6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ospf6_decode_v3_asan.out [new file with mode: 0644] patch | blob
tests/ospf6_decode_v3_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-ospf6.c b/print-ospf6.c
index e8a9dc6d547daab7ad9326ae52a4c76b6740467c..381fdbbf71b33d39a5101da617c4aeabab83cc37 100644 (file)
--- a/print-ospf6.c
+++ b/print-ospf6.c
@@ -735,6 +735,7 @@ ospf6_decode_v3(netdissect_options *ndo,
        case OSPF_TYPE_HELLO: {
                register const struct hello6 *hellop = (const struct hello6 *)((const uint8_t *)op + OSPF6HDR_LEN);
 
+               ND_TCHECK_32BITS(&hellop->hello_options);
                ND_PRINT((ndo, "\n\tOptions [%s]",
                          bittok2str(ospf6_option_values, "none",
                          EXTRACT_32BITS(&hellop->hello_options))));
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 1b405cc35c1e82274a94b073eee66c5b22600ae5..65d33188ddcb24166012ac65094bbd1bb8936eef 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -546,6 +546,7 @@ pim_header_asan-2   pim_header_asan-2.pcap          pim_header_asan-2.out   -v
 pim_header_asan-3      pim_header_asan-3.pcap          pim_header_asan-3.out   -v
 ip6_frag_asan          ip6_frag_asan.pcap              ip6_frag_asan.out       -v
 radius_attr_asan       radius_attr_asan.pcap           radius_attr_asan.out    -v
+ospf6_decode_v3_asan   ospf6_decode_v3_asan.pcap       ospf6_decode_v3_asan.out -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/ospf6_decode_v3_asan.out b/tests/ospf6_decode_v3_asan.out
new file mode 100644 (file)
index 0000000..aef79e0
--- /dev/null
+++ b/tests/ospf6_decode_v3_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x76, flowlabel 0xf6701, hlim 109, next-header OSPF (89) payload length: 30311) 6767:6780:6767:a102:4:b6:5853:f040 > 1000:a32:8847:1::116: OSPFv3, Hello, length 30311
+       Router-ID 1.1.0.34, Area 0.255.2.2, Instance 82 [|ospf3]
diff --git a/tests/ospf6_decode_v3_asan.pcap b/tests/ospf6_decode_v3_asan.pcap
new file mode 100644 (file)
index 0000000..2d50b9c
Binary files /dev/null and b/tests/ospf6_decode_v3_asan.pcap differ
[mirror] the TCPdump network dissector