]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6d20b78)
Babel: Add a missing length check.
authorDenis Ovsienko <[email protected]>
Tue, 12 Sep 2017 10:30:50 +0000 (11:30 +0100)
committerFrancois-Xavier Le Bail <[email protected]>
Mon, 28 Oct 2019 18:09:38 +0000 (19:09 +0100)
In babel_print_v2() check that the Babel packet body length does not
exceed the outer UDP packet payload. This helps to detect some invalid
packets earlier but does not fix a known vulnerability.

Update the output of a test accordingly.

Cherry picked from 651020754a171b1f279c2c444a5b1e725d4dd781
in 4.9 branch.

print-babel.c patch | blob | history
tests/babel_update_oobr.out patch | blob | history

diff --git a/print-babel.c b/print-babel.c
index 6f03e1462660ef39e75e275042c7aabc0046e13b..7dba0765aee84ba36d8b53af4ba2b4e96551d9c0 100644 (file)
--- a/print-babel.c
+++ b/print-babel.c
@@ -359,6 +359,8 @@ babel_print_v2(netdissect_options *ndo,
         goto invalid;
     bodylen = GET_BE_U_2(cp + 2);
     ND_PRINT(" (%u)", bodylen);
+    if (4U + bodylen > length)
+        goto invalid;
 
     /* Process the TLVs in the body */
     i = 0;
diff --git a/tests/babel_update_oobr.out b/tests/babel_update_oobr.out
index f0149bd48b1e2ca3f60855938c93d2a80381c389..a6749d79d9a594074e6671a254c752a1531a0995 100644 (file)
--- a/tests/babel_update_oobr.out
+++ b/tests/babel_update_oobr.out
@@ -63,7 +63,7 @@
    49  09:18:56.000000 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O.^DM-2M-!^BM-W^CM-!^B@^D 0min ^P.^VM-^H [|krb]
    50  00:00:00.000000 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O^O7M-^@M-^?M-^@^D^O^O^O^O^O^P.M-^?M-^?^O^O^O@^VM-^H [|krb]
    51  00:34:08.000000 IP 10.0.0.1.88 > 0.234.154.214.24074:  v4 be KDC_REQUEST: ^O^O^O^O.^DM-^@M-^?M-^?M-^?^CM-!^B@^D 0min ^P.^VM-^H [|krb]
-   52  18:12:16.000000 IP 208.21.42.58.6697 > 110.228.104.254.30952: babel 2 (2056) update (invalid)
+   52  18:12:16.000000 IP 208.21.42.58.6697 > 110.228.104.254.30952: babel 2 (2056) (invalid)
    53  00:00:07.008320 IP 208.21.2.184.1512 > 10.1.1.99.496:  auto-rp candidate-advert Hold 16m16s RP 1.235.99.5 PIMv? [rsvd=0xe8] 4.0.0.31/0 bidir,255.0.0.0/33[rsvd=0x14] [|cisco_autorp]
    54  [Error converting time] IP 41.0.0.1.88 > 32.235.154.214.24074:  v4 be KDC_REQUEST: M-h^AM-p.PQM-a^QM-x^CM-P^U^BM-8^J^AM-kc^EM-h^K^B@^D [|krb]
    55  00:00:00.000000 IP 208.21.2.184.1512 > 10.1.1.99.496:  auto-rp candidate-advert Hold 16m16s RP 1.235.99.5 PIMv? [rsvd=0xe8] 4.0.100.177/0 bidir,!172.0.176.22/177[rsvd=0xb0] [|cisco_autorp]
[mirror] the TCPdump network dissector