CVE-2017-13008/IEEE 802.11: Fix TIM bitmap copy to copy from p + offset.

offset has already been advanced to point to the bitmap; we shouldn't
add the amount to advance again.

This fixes a buffer over-read discovered by Brian 'geeknik' Carpenter.

Add a test using the capture file supplied by the reporter(s).

While we're at it, remove some redundant tests - we've already checked,
before the case statement, whether we have captured the entire
information element and whether the entire information element is
present in the on-the-wire packet; in the cases for particular IEs, we
only need to make sure we don't go past the end of the IE.

diff --git a/print-802_11.c b/print-802_11.c
index 17c1f70cb6cd752004117e02c53744c3705db71d..d8bf039de1ab0fff45654840a761825e921a4509 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -1039,10 +1039,6 @@ parse_elements(netdissect_options *ndo,
                        if (ssid.length != 0) {
                                if (ssid.length > sizeof(ssid.ssid) - 1)
                                        return 0;
-                               if (!ND_TTEST2(*(p + offset), ssid.length))
-                                       return 0;
-                               if (length < ssid.length)
-                                       return 0;
                                memcpy(&ssid.ssid, p + offset, ssid.length);
                                offset += ssid.length;
                                length -= ssid.length;
@@ -1068,10 +1064,6 @@ parse_elements(netdissect_options *ndo,
                                if (challenge.length >
                                    sizeof(challenge.text) - 1)
                                        return 0;
-                               if (!ND_TTEST2(*(p + offset), challenge.length))
-                                       return 0;
-                               if (length < challenge.length)
-                                       return 0;
                                memcpy(&challenge.text, p + offset,
                                    challenge.length);
                                offset += challenge.length;
@@ -1097,10 +1089,6 @@ parse_elements(netdissect_options *ndo,
                        if (rates.length != 0) {
                                if (rates.length > sizeof rates.rate)
                                        return 0;
-                               if (!ND_TTEST2(*(p + offset), rates.length))
-                                       return 0;
-                               if (length < rates.length)
-                                       return 0;
                                memcpy(&rates.rate, p + offset, rates.length);
                                offset += rates.length;
                                length -= rates.length;
@@ -1189,7 +1177,7 @@ parse_elements(netdissect_options *ndo,
                        offset += 3;
                        length -= 3;
 
-                       memcpy(tim.bitmap, p + offset + 3, tim.length - 3);
+                       memcpy(tim.bitmap, p + offset, tim.length - 3);
                        offset += tim.length - 3;
                        length -= tim.length - 3;
                        /*

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 38e5b23d1b3a59dc2a18dde8534a481dc7cb8034..e08ca953a514647b4d0740c959d430076eb2751e 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -435,6 +435,7 @@ ipv6-rthdr-oobr             ipv6-rthdr-oobr.pcap            ipv6-rthdr-oobr.out
 ieee802.11_tim_ie_oobr ieee802.11_tim_ie_oobr.pcap     ieee802.11_tim_ie_oobr.out
 decnet-shorthdr-oobr   decnet-shorthdr-oobr.pcap       decnet-shorthdr-oobr.out
 isakmp-3948-oobr-2     isakmp-3948-oobr-2.pcap         isakmp-3948-oobr-2.out
+ieee802.11_rates_oobr  ieee802.11_rates_oobr.pcap      ieee802.11_rates_oobr.out
 
 # bad packets from Kamil Frankowicz
 snmp-heapoverflow-1    snmp-heapoverflow-1.pcap        snmp-heapoverflow-1.out

diff --git a/tests/ieee802.11_rates_oobr.out b/tests/ieee802.11_rates_oobr.out
new file mode 100644 (file)
index 0000000..222eed3
--- /dev/null
+++ b/tests/ieee802.11_rates_oobr.out
@@ -0,0 +1 @@
+fhset 48 fhpat 48 48dBm signal 48dB signal 48dB noise [|802.11]Beacon IBSS, PRIVACY[|802.11]

diff --git a/tests/ieee802.11_rates_oobr.pcap b/tests/ieee802.11_rates_oobr.pcap
new file mode 100644 (file)
index 0000000..bb2819a
Binary files /dev/null and b/tests/ieee802.11_rates_oobr.pcap differ