]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d515b4b)
CVE-2017-13049/Rx: add a missing bounds check for Ubik
authorDenis Ovsienko <[email protected]>
Fri, 4 Aug 2017 16:15:07 +0000 (17:15 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
One of the case blocks in ubik_print() didn't check bounds before
fetching 32 bits of packet data and could overread past the captured
packet data by that amount.

This fixes a buffer over-read discovered by Henri Salo from Nixu
Corporation.

Add a test using the capture file supplied by the reporter(s).

print-rx.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/rx_ubik-oobr.out [new file with mode: 0644] patch | blob
tests/rx_ubik-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-rx.c b/print-rx.c
index 9df6b6aeec522b73ef977074fb53d3265811320b..741d3043d2b355ed8aa1aaf97ae5514e8d924288 100644 (file)
--- a/print-rx.c
+++ b/print-rx.c
@@ -2577,6 +2577,7 @@ ubik_print(netdissect_options *ndo,
                        INTOUT();
                        ND_PRINT((ndo, " length"));
                        INTOUT();
+                       ND_TCHECK_32BITS(bp);
                        temp = EXTRACT_32BITS(bp);
                        bp += sizeof(int32_t);
                        tok2str(ubik_lock_types, "type %d", temp);
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 63e7eee0000cad241b63f58579bd76449f18b903..08cb0d9ac0c3c2a2002fe1371ad164f9b6d4d9c8 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -573,6 +573,9 @@ mlppp-oobr          mlppp-oobr.pcap                 mlppp-oobr.out
 mptcp-dss-oobr         mptcp-dss-oobr.pcap             mptcp-dss-oobr.out      -v
 icmp6_nodeinfo_oobr    icmp6_nodeinfo_oobr.pcap        icmp6_nodeinfo_oobr.out
 
+# bad packets from Henri Salo
+rx_ubik-oobr           rx_ubik-oobr.pcap               rx_ubik-oobr.out -c1
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp
diff --git a/tests/rx_ubik-oobr.out b/tests/rx_ubik-oobr.out
new file mode 100644 (file)
index 0000000..f192432
--- /dev/null
+++ b/tests/rx_ubik-oobr.out
@@ -0,0 +1 @@
+IP truncated-ip - 2598 bytes missing! 222.241.104.198.3503 > 131.63.241.146.7002:  rx data pt ubik call disk-lock tid 50266112.32382 file 2122216448 pos 545160708 length 1087685554 [|ubik] (2632)
diff --git a/tests/rx_ubik-oobr.pcap b/tests/rx_ubik-oobr.pcap
new file mode 100644 (file)
index 0000000..69caac9
Binary files /dev/null and b/tests/rx_ubik-oobr.pcap differ
[mirror] the TCPdump network dissector