]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3c4d7c0)
CVE-2017-12986/IPv6 R.H.: Update to reflect the actual IPv6 RFC.
authorGuy Harris <[email protected]>
Sat, 4 Feb 2017 22:06:23 +0000 (14:06 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
In RFC 1883, the Type 0 routing header had a 1-byte reserved field and a
3-byte strict/loose bit map; in RFC 2460, that changed to a 4-byte
reserved field.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter (by
making an ND_TCHECK() call check for the presence in the captured data
of all 4 bytes of the reserved field; we were printing it as a 4-byte
field, so we needed to check for them).

Add a test using the capture file supplied by the reporter(s).

ip6.h patch | blob | history
tests/TESTLIST patch | blob | history
tests/ipv6-rthdr-oobr.out [new file with mode: 0644] patch | blob
tests/ipv6-rthdr-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/ip6.h b/ip6.h
index 2ea1d0abe8ecda6e576aa9683edb64bb922c52a5..986203414f8b78db5488395ed6fce93bbe8ed0c3 100644 (file)
--- a/ip6.h
+++ b/ip6.h
@@ -181,9 +181,8 @@ struct ip6_rthdr0 {
        uint8_t  ip6r0_nxt;             /* next header */
        uint8_t  ip6r0_len;             /* length in units of 8 octets */
        uint8_t  ip6r0_type;            /* always zero */
-       uint8_t  ip6r0_segleft; /* segments left */
-       uint8_t  ip6r0_reserved;        /* reserved field */
-       uint8_t  ip6r0_slmap[3];        /* strict/loose bit map */
+       uint8_t  ip6r0_segleft;         /* segments left */
+       uint32_t ip6r0_reserved;        /* reserved field */
        struct in6_addr ip6r0_addr[1];  /* up to 23 addresses */
 } UNALIGNED;
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 9b60df27b6b5cf8c1aabf6843058703b9803367a..6d6f41b758474ce9e521e4fec676f3d7e1205ecd 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -434,6 +434,7 @@ q933-heapoverflow-2 q933-heapoverflow-2.pcap        q933-heapoverflow-2.out
 atm-heapoverflow       atm-heapoverflow.pcap           atm-heapoverflow.out            -c1 -e
 ipv6-next-header-oobr-1        ipv6-next-header-oobr-1.pcap    ipv6-next-header-oobr-1.out
 ipv6-next-header-oobr-2        ipv6-next-header-oobr-2.pcap    ipv6-next-header-oobr-2.out
+ipv6-rthdr-oobr                ipv6-rthdr-oobr.pcap            ipv6-rthdr-oobr.out
 
 # bad packets from Kamil Frankowicz
 snmp-heapoverflow-1    snmp-heapoverflow-1.pcap        snmp-heapoverflow-1.out
diff --git a/tests/ipv6-rthdr-oobr.out b/tests/ipv6-rthdr-oobr.out
new file mode 100644 (file)
index 0000000..05824e4
--- /dev/null
+++ b/tests/ipv6-rthdr-oobr.out
@@ -0,0 +1 @@
+IP6 3030:3030:3030:3030:3030:3030:3030:3030 > 3030:3030:3030:3030:3030:3030:3030:3030: srcrt (len=48, type=0, segleft=48[|srcrt]
diff --git a/tests/ipv6-rthdr-oobr.pcap b/tests/ipv6-rthdr-oobr.pcap
new file mode 100644 (file)
index 0000000..41f96b6
Binary files /dev/null and b/tests/ipv6-rthdr-oobr.pcap differ
[mirror] the TCPdump network dissector