CVE-2016-7974/Check before fetching the IP protocol version.

author Guy Harris <[email protected]>

Fri, 3 Jul 2015 18:19:17 +0000 (11:19 -0700)

committer Francois-Xavier Le Bail <[email protected]>

Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
author Guy Harris <[email protected]>
Fri, 3 Jul 2015 18:19:17 +0000 (11:19 -0700)
committer Francois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
diff --git a/print-ip.c b/print-ip.c

index 69e621d28792a016ac3caad7162d311aa5152fda..f96ba55973ea32b58905ce69784a1578e89ce23a 100644 (file)
--- a/print-ip.c
+++ b/print-ip.c
@@ -681,24 +681,28 @@ trunc:
  void
  ipN_print(netdissect_options *ndo, register const u_char *bp, register u_int length)
  {
  void
  ipN_print(netdissect_options *ndo, register const u_char *bp, register u_int length)
  {
-       struct ip hdr;
-
-       if (length < 4) {
+       if (length < 1) {
                 ND_PRINT((ndo, "truncated-ip %d", length));
                 return;
         }
                 ND_PRINT((ndo, "truncated-ip %d", length));
                 return;
         }
-       memcpy (&hdr, bp, 4);
-       switch (IP_V(&hdr)) {
-       case 4:
+
+       ND_TCHECK(*bp);
+       switch (*bp & 0xF0) {
+       case 0x40:
                 ip_print (ndo, bp, length);
                 ip_print (ndo, bp, length);
-               return;
-       case 6:
+               break;
+       case 0x60:
                 ip6_print (ndo, bp, length);
                 ip6_print (ndo, bp, length);
-               return;
+               break;
         default:
         default:
-               ND_PRINT((ndo, "unknown ip %d", IP_V(&hdr)));
-               return;
+               ND_PRINT((ndo, "unknown ip %d", (*bp & 0xF0) >> 4));
+               break;
         }
         }
+       return;
+
+trunc:
+       ND_PRINT((ndo, "%s", tstr));
+       return;
  }
  
  /*
  }
  
  /*
diff --git a/tests/TESTLIST b/tests/TESTLIST

index 890f4a91302bc3699004355919e065491fe1b18c..910689984f41d8cb5a7aa931442080c034113c62 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -366,3 +366,6 @@ bfd-raw-auth-md5 bfd-raw-auth-md5.pcap bfd-raw-auth-md5.out -t
  bfd-raw-auth-md5-v bfd-raw-auth-md5.pcap bfd-raw-auth-md5-v.out -t -v
  bfd-raw-auth-sha1 bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1.out -t
  bfd-raw-auth-sha1-v bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1-v.out -t -v
  bfd-raw-auth-md5-v bfd-raw-auth-md5.pcap bfd-raw-auth-md5-v.out -t -v
  bfd-raw-auth-sha1 bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1.out -t
  bfd-raw-auth-sha1-v bfd-raw-auth-sha1.pcap bfd-raw-auth-sha1-v.out -t -v
+
+# bad packets from Hanno Böck
+heap-overflow-1        heap-overflow-1.pcap            heap-overflow-1.out     -t -v -n
diff --git a/tests/heap-overflow-1.out b/tests/heap-overflow-1.out

new file mode 100644 (file)

index 0000000..4d2862d
--- /dev/null
+++ b/tests/heap-overflow-1.out
@@ -0,0 +1 @@
+unknown ip 3
diff --git a/tests/heap-overflow-1.pcap b/tests/heap-overflow-1.pcap

new file mode 100644 (file)

index 0000000..ada5c78

Binary files /dev/null and b/tests/heap-overflow-1.pcap differ
author	Guy Harris <[email protected]>
	Fri, 3 Jul 2015 18:19:17 +0000 (11:19 -0700)
committer	Francois-Xavier Le Bail <[email protected]>
	Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
print-ip.c		patch \| blob \| history
tests/TESTLIST		patch \| blob \| history
tests/heap-overflow-1.out	[new file with mode: 0644]	patch \| blob
tests/heap-overflow-1.pcap	[new file with mode: 0644]	patch \| blob