(for 4.9.3) CVE-2018-16228/HNCP: make buffer access safer

print_prefix() has a buffer and does not initialize it. It may call
decode_prefix6(), which also does not initialize the buffer on invalid
input. When that happens, make sure to return from print_prefix() before
trying to print the [still uninitialized] buffer.

This fixes a buffer over-read discovered by Wang Junjie of 360 ESG
Codesafe Team.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-hncp.c b/print-hncp.c
index 3a8100371ee4b7511c5c2648c2281220cd79e9fd..c20d1e1a42e66718e47414aa91b3fd5bcbd33354 100644 (file)
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
     } else {
         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
+        if (plenbytes < 0)
+            return plenbytes;
     }
 
     ND_PRINT((ndo, "%s", buf));

diff --git a/tests/TESTLIST b/tests/TESTLIST
index bb208983c7bf59ddb8c18d40249ebcf90fe457c1..9c0ac4b7ead715bb0c4e6e6f50c501226793cbd6 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -600,6 +600,7 @@ babel_update_oobr   babel_update_oobr.pcap  babel_update_oobr.out   -c 52
 # bad packets from Junjie Wang
 ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng   ospf6_print_lshdr-oobr.out      -vv -c15
 rpl-dao-oobr           rpl-dao-oobr.pcapng             rpl-dao-oobr.out                -vv -c1
+hncp_prefix-oobr       hncp_prefix-oobr.pcapng         hncp_prefix-oobr.out            -vvv
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/hncp_prefix-oobr.out b/tests/hncp_prefix-oobr.out
new file mode 100644 (file)
index 0000000..1908b89
--- /dev/null
+++ b/tests/hncp_prefix-oobr.out
@@ -0,0 +1,48 @@
+IP6 (class 0xc0, hlim 1, next-header UDP (17) payload length: 436) fe80::b299:28ff:ffc8:d646.6696 > ff02::59:0:0:1:6.6696: [bad udp cksum 0x2997 -> 0xbbd2!] babel 2 (424)
+       Hello seqno 58134 interval 4.00s sub-unknown-0x08 sub-pad1 sub-pad1 sub-unknown-0x04 sub-unknown-0x30 sub-diversity 2-2 (bogus) sub-diversity 2-2 (bogus) sub-diversity 2-48 (bogus) (invalid)
+       Unknown message type 48
+       Unknown message type 223
+       Pad 1
+       Unknown message type 51
+       Pad 1
+       Pad 1
+       Pad 1
+       HMAC  (invalid)
+IP6 (hlim 57, next-header UDP (17) payload length: 332) fe80::218:f3ff:ffa9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xbd4b -> 0x0e98!] hncp (324)
+       Node endpoint (12) NID: 31:da:78:d2 EPID: 03000000
+       Node state (312) NID: 31:da:78:d2 seqno: 19 160.105s hash: 800088c8e0714638
+               Peer (16) Peer-NID: 61:69:ed:63 Peer-EPID: 01000000 Local-EPID: 01000000
+               HNCP-Version (22) M: 0 P: 4 H: 4 L: 4 User-agent: hnetd/cac971d
+               External-Connection (52)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       Unassigned: type=510 (4)
+               Assigned-Prefix (18) EPID: 03000000 Prty: 2 Prefix: fd1f:f88c:e200::/44
+                        (invalid)
+               Assigned-Prefix (25) EPID: 01000001 Prty: 0 Prefix: ::/0
+                       Reserved: type=0 (4)
+                       Reserved: type=0 (4)
+                       [|hncp]
+               Assigned-Prefix (25) EPID: 03000000 Prty: 2 Prefix: 10.0.101.0/24
+               Node-Address (24) EPID: 01000000 IP Address: ::2100:0:ffff:a00:6302
+               Node-Address (24) EPID: 01000000 IP Address: fd1f:f88c:e207::f3ff
+               [|hncp]
+IP6 (hlim 64, next-header UDP (17) payload length: 564) fe80::218:f3ff:fea9:914e.8231 > fe80::21e:64ff:fe23:4d34.8231: [bad udp cksum 0xe65a -> 0x7725!] hncp (556)
+       Node endpoint (12) NID: 31:10:00:00 EPID: 00000000
+       Node state (544) NID: 61:69:ed:63 seqno: 12 969.699s hash: 011fffa1da966148
+               Peer (16) Peer-NID: 31:da:78:d2 Peer-EPID: 01000000 Local-EPID: 01000000
+               Future use: type=64031 (22)
+               External-Connection (23)
+                       Delegated-Prefix (19) VLSO: 0.599s PLSO: 0.299s Prefix: fd1f:f88c:e207::/48
+               Assigned-Prefix (143) EPID: 8b8b8b8b Prty: 11 Prefix:   (invalid)
+               Private use: type=768 (4)
+               [|hncp]

diff --git a/tests/hncp_prefix-oobr.pcapng b/tests/hncp_prefix-oobr.pcapng
new file mode 100644 (file)
index 0000000..9c4c016
Binary files /dev/null and b/tests/hncp_prefix-oobr.pcapng differ