CVE-2017-13038/PPP: Do bounds checking.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by Katie Holly.

diff --git a/print-ppp.c b/print-ppp.c
index d07763cb1cadff5f54cffb561dd7b56333bde99f..891761728bbb7450368c7b838e8a82c1d7c681bd 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -811,6 +811,15 @@ handle_mlppp(netdissect_options *ndo,
     if (!ndo->ndo_eflag)
         ND_PRINT((ndo, "MLPPP, "));
 
+    if (length < 2) {
+        ND_PRINT((ndo, "[|mlppp]"));
+        return;
+    }
+    if (!ND_TTEST_16BITS(p)) {
+        ND_PRINT((ndo, "[|mlppp]"));
+        return;
+    }
+
     ND_PRINT((ndo, "seq 0x%03x, Flags [%s], length %u",
            (EXTRACT_16BITS(p))&0x0fff, /* only support 12-Bit sequence space for now */
            bittok2str(ppp_ml_flag_values, "none", *p & 0xc0),

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5732f8ff5093bafcfba4d100ca6a3d4a11ef5191..bdc7ff40c685280126a7642fa6d85e9b05d2136e 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -554,6 +554,9 @@ radius_attr_asan    radius_attr_asan.pcap           radius_attr_asan.out    -v
 ospf6_decode_v3_asan   ospf6_decode_v3_asan.pcap       ospf6_decode_v3_asan.out -v
 ip_ts_opts_asan                ip_ts_opts_asan.pcap            ip_ts_opts_asan.out     -v
 
+# bad packets from Katie Holly
+mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/mlppp-oobr.out b/tests/mlppp-oobr.out
new file mode 100644 (file)
index 0000000..9230189
--- /dev/null
+++ b/tests/mlppp-oobr.out
@@ -0,0 +1 @@
+MLPPP, [|mlppp]

diff --git a/tests/mlppp-oobr.pcap b/tests/mlppp-oobr.pcap
new file mode 100644 (file)
index 0000000..95b1bbe
Binary files /dev/null and b/tests/mlppp-oobr.pcap differ