]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d17507f)
CVE-2017-12987/IEEE 802.11: Fix processing of TIM IE.
authorGuy Harris <[email protected]>
Mon, 6 Feb 2017 19:24:42 +0000 (11:24 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
The arguments to memcpy() were completely wrong.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by Brian 'geeknik' Carpenter.

print-802_11.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/ieee802.11_tim_ie_oobr.out [new file with mode: 0644] patch | blob
tests/ieee802.11_tim_ie_oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-802_11.c b/print-802_11.c
index 1bbe47ace504c4674be06db14d664d84fbdc6e34..17c1f70cb6cd752004117e02c53744c3705db71d 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -1189,8 +1189,7 @@ parse_elements(netdissect_options *ndo,
                        offset += 3;
                        length -= 3;
 
-                       memcpy(tim.bitmap, p + (tim.length - 3),
-                           (tim.length - 3));
+                       memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
                        offset += tim.length - 3;
                        length -= tim.length - 3;
                        /*
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 0829e90d2d1b496b23e8f622128b20235945e5c3..bfd58991d31facd319311f91d5c74bccf777cc3c 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -435,6 +435,7 @@ atm-heapoverflow    atm-heapoverflow.pcap           atm-heapoverflow.out            -c1 -e
 ipv6-next-header-oobr-1        ipv6-next-header-oobr-1.pcap    ipv6-next-header-oobr-1.out
 ipv6-next-header-oobr-2        ipv6-next-header-oobr-2.pcap    ipv6-next-header-oobr-2.out
 ipv6-rthdr-oobr                ipv6-rthdr-oobr.pcap            ipv6-rthdr-oobr.out
+ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap     ieee802.11_tim_ie_oobr.out
 
 # bad packets from Kamil Frankowicz
 snmp-heapoverflow-1    snmp-heapoverflow-1.pcap        snmp-heapoverflow-1.out
diff --git a/tests/ieee802.11_tim_ie_oobr.out b/tests/ieee802.11_tim_ie_oobr.out
new file mode 100644 (file)
index 0000000..5268683
--- /dev/null
+++ b/tests/ieee802.11_tim_ie_oobr.out
@@ -0,0 +1,4 @@
+ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
+ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
+[|802.11]
+ReAssoc Response AID(3030) : PRIVACY : n/a[|802.11]
diff --git a/tests/ieee802.11_tim_ie_oobr.pcap b/tests/ieee802.11_tim_ie_oobr.pcap
new file mode 100644 (file)
index 0000000..bb05c81
Binary files /dev/null and b/tests/ieee802.11_tim_ie_oobr.pcap differ
[mirror] the TCPdump network dissector