]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d3aae71)
CVE-2017-12993/Juniper: Add more bounds checks.
authorGuy Harris <[email protected]>
Tue, 7 Feb 2017 18:33:07 +0000 (10:33 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
This fixes a buffer over-read discovered by Kamil Frankowicz.

Add tests using the capture files supplied by the reporter(s).

print-juniper.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/hoobr_juniper.out [new file with mode: 0644] patch | blob
tests/hoobr_juniper.pcap [new file with mode: 0644] patch | blob
tests/hoobr_juniper2.out [new file with mode: 0644] patch | blob
tests/hoobr_juniper2.pcap [new file with mode: 0644] patch | blob
tests/hoobr_juniper3.out [new file with mode: 0644] patch | blob
tests/hoobr_juniper3.pcap [new file with mode: 0644] patch | blob

diff --git a/print-juniper.c b/print-juniper.c
index 9a258d9ae2de1a2cee6bb48fb2232524769f0a88..e8879ea7b6b58bfcc8ce1439bc8f03cfd458c046 100644 (file)
--- a/print-juniper.c
+++ b/print-juniper.c
@@ -472,6 +472,7 @@ juniper_ggsn_print(netdissect_options *ndo,
         p+=l2info.header_len;
         gh = (struct juniper_ggsn_header *)&l2info.cookie;
 
+        ND_TCHECK(*gh);
         if (ndo->ndo_eflag) {
             ND_PRINT((ndo, "proto %s (%u), vlan %u: ",
                    tok2str(juniper_protocol_values,"Unknown",gh->proto),
@@ -492,6 +493,10 @@ juniper_ggsn_print(netdissect_options *ndo,
         }
 
         return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_services]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -519,6 +524,7 @@ juniper_es_print(netdissect_options *ndo,
         p+=l2info.header_len;
         ih = (const struct juniper_ipsec_header *)p;
 
+        ND_TCHECK(*ih);
         switch (ih->type) {
         case JUNIPER_IPSEC_O_ESP_ENCRYPT_ESP_AUTHEN_TYPE:
         case JUNIPER_IPSEC_O_ESP_ENCRYPT_AH_AUTHEN_TYPE:
@@ -564,6 +570,10 @@ juniper_es_print(netdissect_options *ndo,
 
         ip_print(ndo, p, l2info.length);
         return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_services]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -588,6 +598,7 @@ juniper_monitor_print(netdissect_options *ndo,
         p+=l2info.header_len;
         mh = (const struct juniper_monitor_header *)p;
 
+        ND_TCHECK(*mh);
         if (ndo->ndo_eflag)
             ND_PRINT((ndo, "service-id %u, iif %u, pkt-type %u: ",
                    EXTRACT_32BITS(&mh->service_id),
@@ -598,6 +609,10 @@ juniper_monitor_print(netdissect_options *ndo,
         ip_heuristic_guess (ndo, p, l2info.length);
 
         return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_services]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -622,6 +637,7 @@ juniper_services_print(netdissect_options *ndo,
         p+=l2info.header_len;
         sh = (const struct juniper_services_header *)p;
 
+        ND_TCHECK(*sh);
         if (ndo->ndo_eflag)
             ND_PRINT((ndo, "service-id %u flags 0x%02x service-set-id 0x%04x iif %u: ",
                    sh->svc_id,
@@ -633,6 +649,10 @@ juniper_services_print(netdissect_options *ndo,
         ip_heuristic_guess (ndo, p, l2info.length);
 
         return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_services]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -740,6 +760,7 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
 
         p+=l2info.header_len;
 
+        ND_TCHECK2(p[0], 2);
         extracted_ethertype = EXTRACT_16BITS(p);
         /* this DLT contains nothing but raw PPPoE frames,
          * prepended with a type field*/
@@ -752,6 +773,10 @@ juniper_pppoe_atm_print(netdissect_options *ndo,
             ND_PRINT((ndo, "unknown ethertype 0x%04x", extracted_ethertype));
 
         return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_pppoe_atm]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -940,6 +965,7 @@ juniper_atm1_print(netdissect_options *ndo,
             return l2info.header_len;
         }
 
+        ND_TCHECK2(p[0], 3);
         if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
             EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
 
@@ -958,6 +984,10 @@ juniper_atm1_print(netdissect_options *ndo,
             return l2info.header_len;
 
        return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_atm1]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -989,6 +1019,7 @@ juniper_atm2_print(netdissect_options *ndo,
             return l2info.header_len;
         }
 
+        ND_TCHECK2(p[0], 3);
         if (EXTRACT_24BITS(p) == 0xfefe03 || /* NLPID encaps ? */
             EXTRACT_24BITS(p) == 0xaaaa03) { /* SNAP encaps ? */
 
@@ -1016,6 +1047,10 @@ juniper_atm2_print(netdissect_options *ndo,
             return l2info.header_len;
 
        return l2info.header_len;
+
+trunc:
+       ND_PRINT((ndo, "[|juniper_atm2]"));
+       return l2info.header_len;
 }
 #endif
 
@@ -1280,6 +1315,7 @@ juniper_parse_header(netdissect_options *ndo,
     l2info->caplen -= l2info->header_len;
 
     /* search through the cookie table and copy values matching for our PIC type */
+    ND_TCHECK(p[0]);
     while (lp->s != NULL) {
         if (lp->pictype == l2info->pictype) {
 
@@ -1360,6 +1396,7 @@ juniper_parse_header(netdissect_options *ndo,
     case DLT_JUNIPER_MLFR:
         switch (l2info->cookie_type) {
         case LS_COOKIE_ID:
+            ND_TCHECK2(p[0], 2);
             l2info->bundle = l2info->cookie[1];
             l2info->proto = EXTRACT_16BITS(p);
             l2info->header_len += 2;
@@ -1383,6 +1420,7 @@ juniper_parse_header(netdissect_options *ndo,
     case DLT_JUNIPER_MFR:
         switch (l2info->cookie_type) {
         case LS_COOKIE_ID:
+            ND_TCHECK2(p[0], 2);
             l2info->bundle = l2info->cookie[1];
             l2info->proto = EXTRACT_16BITS(p);
             l2info->header_len += 2;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5376c12a8b51dc58e2dc0a55f25775137876c6d4..f14868fc44dcd57696d015cc2c5a82a52ff79db8 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -451,6 +451,9 @@ nfs-attr-oobr               nfs-attr-oobr.pcap              nfs-attr-oobr.out
 decnet-oobr            decnet-oobr.pcap                decnet-oobr.out
 oobr_parse_elements    oobr_parse_elements.pcap        oobr_parse_elements.out
 hoobr_ripng_print      hoobr_ripng_print.pcap          hoobr_ripng_print.out
+hoobr_juniper          hoobr_juniper.pcap              hoobr_juniper.out
+hoobr_juniper2         hoobr_juniper2.pcap             hoobr_juniper2.out
+hoobr_juniper3         hoobr_juniper3.pcap             hoobr_juniper3.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve
diff --git a/tests/hoobr_juniper.out b/tests/hoobr_juniper.out
new file mode 100644 (file)
index 0000000..b13cfbe
--- /dev/null
+++ b/tests/hoobr_juniper.out
@@ -0,0 +1 @@
+[|juniper_hdr], length 808464432
diff --git a/tests/hoobr_juniper.pcap b/tests/hoobr_juniper.pcap
new file mode 100644 (file)
index 0000000..831a8c7
Binary files /dev/null and b/tests/hoobr_juniper.pcap differ
diff --git a/tests/hoobr_juniper2.out b/tests/hoobr_juniper2.out
new file mode 100644 (file)
index 0000000..1f164cf
--- /dev/null
+++ b/tests/hoobr_juniper2.out
@@ -0,0 +1 @@
+[|juniper_atm1]
diff --git a/tests/hoobr_juniper2.pcap b/tests/hoobr_juniper2.pcap
new file mode 100644 (file)
index 0000000..7c76735
Binary files /dev/null and b/tests/hoobr_juniper2.pcap differ
diff --git a/tests/hoobr_juniper3.out b/tests/hoobr_juniper3.out
new file mode 100644 (file)
index 0000000..8062118
--- /dev/null
+++ b/tests/hoobr_juniper3.out
@@ -0,0 +1 @@
+Unknown Juniper DLT_ type 132: [|juniper_services]
diff --git a/tests/hoobr_juniper3.pcap b/tests/hoobr_juniper3.pcap
new file mode 100644 (file)
index 0000000..2ab9c66
Binary files /dev/null and b/tests/hoobr_juniper3.pcap differ
[mirror] the TCPdump network dissector