]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c38481)
CVE-2017-13054/LLDP: add a missing length check
authorDenis Ovsienko <[email protected]>
Wed, 9 Aug 2017 23:01:55 +0000 (00:01 +0100)
committerDenis Ovsienko <[email protected]>
Sun, 3 Sep 2017 23:08:58 +0000 (00:08 +0100)
In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame
Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length
check and could over-read the input buffer, put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-lldp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/lldp_8023_mtu-oobr.out [new file with mode: 0644] patch | blob
tests/lldp_8023_mtu-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-lldp.c b/print-lldp.c
index add7e6a5f94133645ac7b880dbe80e69f8ff7b25..e87b16bd0fcc16444599148d7e4f029298a0be30 100644 (file)
--- a/print-lldp.c
+++ b/print-lldp.c
@@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo,
         break;
 
     case LLDP_PRIVATE_8023_SUBTYPE_MTU:
+        if (tlv_len < 6) {
+            return hexdump;
+        }
         ND_PRINT((ndo, "\n\t    MTU size %u", EXTRACT_16BITS(tptr + 4)));
         break;
 
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 05a537bd693a582dd6122329974970119da3d4d3..17fd373772a23d5fe7201366ee32a6bb7eb009b4 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -568,6 +568,7 @@ rsvp_uni-oobr-1     rsvp_uni-oobr-1.pcap    rsvp_uni-oobr-1.out     -v -c1
 rsvp_uni-oobr-2        rsvp_uni-oobr-2.pcap    rsvp_uni-oobr-2.out     -v -c1
 rsvp_uni-oobr-3        rsvp_uni-oobr-3.pcap    rsvp_uni-oobr-3.out     -v -c3
 rpki-rtr-oob           rpki-rtr-oob.pcap       rpki-rtr-oob.out        -v -c1
+lldp_8023_mtu-oobr     lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out  -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out
diff --git a/tests/lldp_8023_mtu-oobr.out b/tests/lldp_8023_mtu-oobr.out
new file mode 100644 (file)
index 0000000..5185583
--- /dev/null
+++ b/tests/lldp_8023_mtu-oobr.out
@@ -0,0 +1,4 @@
+LLDP, length 4293194266
+       Organization specific TLV (127), length 4: OUI IEEE 802.3 Private (0x00120f)
+         Max frame size Subtype (4)
+       [|LLDP]
diff --git a/tests/lldp_8023_mtu-oobr.pcap b/tests/lldp_8023_mtu-oobr.pcap
new file mode 100644 (file)
index 0000000..dc6d3df
Binary files /dev/null and b/tests/lldp_8023_mtu-oobr.pcap differ
[mirror] the TCPdump network dissector