CVE-2017-13689/IKEv1: Fix addr+subnet length check.

An IPv6 address plus subnet mask is 32 bytes, not 20 bytes.
16 bytes of IPv6 address, 16 bytes of subnet mask.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-isakmp.c b/print-isakmp.c
index 013de1c283999dbac7fa6eb40052317041ce6e83..fbc6c542037e86303177d92601c96d7d8af84617 100644 (file)
--- a/print-isakmp.c
+++ b/print-isakmp.c
@@ -1435,8 +1435,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
                case IPSECDOI_ID_IPV6_ADDR_SUBNET:
                    {
                        const u_char *mask;
-                       if (len < 20)
-                               ND_PRINT((ndo," len=%d [bad: < 20]", len));
+                       if (len < 32)
+                               ND_PRINT((ndo," len=%d [bad: < 32]", len));
                        else {
                                mask = (const u_char *)(data + sizeof(struct in6_addr));
                                /*XXX*/

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 8b34165beb92c4e2e8e0efd33cfde651941db93f..03b4d130949e4cee1de85c01b0ea80241d7830c5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -574,6 +574,7 @@ cfm_sender_id-oobr  cfm_sender_id-oobr.pcap cfm_sender_id-oobr.out  -v -c1
 isis-extd-isreach-oobr isis-extd-isreach-oobr.pcap     isis-extd-isreach-oobr.out -v -c4
 olsr-oobr-1            olsr-oobr-1.pcap                olsr-oobr-1.out -v
 olsr-oobr-2            olsr-oobr-2.pcap                olsr-oobr-2.out -v
+ikev1_id_ipv6_addr_subnet-oobr ikev1_id_ipv6_addr_subnet-oobr.pcap     ikev1_id_ipv6_addr_subnet-oobr.out      -v
 
 # bad packets from Katie Holly
 mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out

diff --git a/tests/ikev1_id_ipv6_addr_subnet-oobr.out b/tests/ikev1_id_ipv6_addr_subnet-oobr.out
new file mode 100644 (file)
index 0000000..0662f00
--- /dev/null
+++ b/tests/ikev1_id_ipv6_addr_subnet-oobr.out
@@ -0,0 +1,3 @@
+IP (tos 0x0, ttl 100, id 40207, offset 0, flags [+, DF, rsvd], proto UDP (17), length 32808, bad cksum 8e7f (->bc78)!)
+    16.0.128.20.500 > 12.251.0.45.0: isakmp 1.0 msgid 0d101010: phase 2/others ? #16[]:
+    (id: idtype=IPv6net protoid=16 port=4112 len=24 [bad: < 32]) [|#145] (len mismatch: isakmp 4278190080/ip 4856)

diff --git a/tests/ikev1_id_ipv6_addr_subnet-oobr.pcap b/tests/ikev1_id_ipv6_addr_subnet-oobr.pcap
new file mode 100644 (file)
index 0000000..b9cfebd
Binary files /dev/null and b/tests/ikev1_id_ipv6_addr_subnet-oobr.pcap differ