]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d71bc47)
CVE-2017-13021/ICMP6: Add a missing bounds check.
authorGuy Harris <[email protected]>
Wed, 22 Mar 2017 06:01:44 +0000 (23:01 -0700)
committerDenis Ovsienko <[email protected]>
Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

print-icmp6.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/icmp6_mobileprefix_asan.out [new file with mode: 0644] patch | blob
tests/icmp6_mobileprefix_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-icmp6.c b/print-icmp6.c
index 7fe639dc833b461aa9021ac65aa1ac3fb140749f..c481e446fa5d3cf79e6f727775b800cb8374ed65 100644 (file)
--- a/print-icmp6.c
+++ b/print-icmp6.c
@@ -1131,6 +1131,7 @@ icmp6_print(netdissect_options *ndo,
                if (ndo->ndo_vflag) {
                        ND_TCHECK(dp->icmp6_data16[0]);
                        ND_PRINT((ndo,", id 0x%04x", EXTRACT_16BITS(&dp->icmp6_data16[0])));
+                       ND_TCHECK(dp->icmp6_data16[1]);
                        if (dp->icmp6_data16[1] & 0xc0)
                                ND_PRINT((ndo," "));
                        if (dp->icmp6_data16[1] & 0x80)
diff --git a/tests/TESTLIST b/tests/TESTLIST
index dc09412634e7802a94370a36b227fa21e3818e4c..02bf5422079f2d594edc7f99c917810d7c7299e5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -519,6 +519,7 @@ dhcp6_reconf_asan   dhcp6_reconf_asan.pcap          dhcp6_reconf_asan.out   -v
 pgm_opts_asan          pgm_opts_asan.pcap              pgm_opts_asan.out       -v
 pgm_opts_asan_2                pgm_opts_asan_2.pcap            pgm_opts_asan_2.out     -v
 vtp_asan               vtp_asan.pcap                   vtp_asan.out    -v
+icmp6_mobileprefix_asan        icmp6_mobileprefix_asan.pcap    icmp6_mobileprefix_asan.out     -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/icmp6_mobileprefix_asan.out b/tests/icmp6_mobileprefix_asan.out
new file mode 100644 (file)
index 0000000..0e0d97c
--- /dev/null
+++ b/tests/icmp6_mobileprefix_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
+[|ether]
diff --git a/tests/icmp6_mobileprefix_asan.pcap b/tests/icmp6_mobileprefix_asan.pcap
new file mode 100644 (file)
index 0000000..fa40fbb
Binary files /dev/null and b/tests/icmp6_mobileprefix_asan.pcap differ
[mirror] the TCPdump network dissector