CVE-2017-13012/ICMP: Add a missing bounds check.

Check before fetching the length from the included packet's IPv4 header.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

diff --git a/print-icmp.c b/print-icmp.c
index ec7525357fcd8044b24e5aead604462e2b271849..366094eff829c08e519017334fdaa656ce40e333 100644 (file)
--- a/print-icmp.c
+++ b/print-icmp.c
@@ -581,6 +581,7 @@ icmp_print(netdissect_options *ndo, const u_char *bp, u_int plen, const u_char *
                ND_PRINT((ndo, "\n\t"));
                ip = (const struct ip *)bp;
                 snapend_save = ndo->ndo_snapend;
+               ND_TCHECK_16BITS(&ip->ip_len);
                ip_print(ndo, bp, EXTRACT_16BITS(&ip->ip_len));
                 ndo->ndo_snapend = snapend_save;
        }

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 309e896f5f42d5e1949fa5d3900bfafac0aea15f..2fb4d46fa75ecbcaf802a3efba9840abc5b274d4 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -509,6 +509,7 @@ pktap-heap-overflow pktap-heap-overflow.pcap        pktap-heap-overflow.out -v
 
 # bad packets from Bhargava Shastry
 lldp_asan              lldp_asan.pcap                  lldp_asan.out   -v
+extract_read2_asan     extract_read2_asan.pcap         extract_read2_asan.out  -v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/extract_read2_asan.out b/tests/extract_read2_asan.out
new file mode 100644 (file)
index 0000000..d0b72ed
--- /dev/null
+++ b/tests/extract_read2_asan.out
@@ -0,0 +1,3 @@
+IP (tos 0x14, id 1, offset 0, flags [none], proto ICMP (1), length 512, options (unknown 3,unknown 3,unknown 3 [bad length 3]), bad cksum 3ff (->b4bd)!)
+    240.25.0.0 > 3.3.3.3: ICMP source quench, length 484
+       [|icmp]

diff --git a/tests/extract_read2_asan.pcap b/tests/extract_read2_asan.pcap
new file mode 100644 (file)
index 0000000..d30ee16
Binary files /dev/null and b/tests/extract_read2_asan.pcap differ