]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: eee0b04)
CVE-2017-13023/IPv6 mobility: Add a bounds check before fetching data
authorFrancois-Xavier Le Bail <[email protected]>
Wed, 22 Mar 2017 15:08:25 +0000 (16:08 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't cause 'tcpdump: pcap_loop: truncated dump file'

print-mobility.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/mobility_opt_asan.out [new file with mode: 0644] patch | blob
tests/mobility_opt_asan.pcap [new file with mode: 0644] patch | blob

diff --git a/print-mobility.c b/print-mobility.c
index 16d3f7c29bfe329c069e7d9665593cabb1bc4c2f..64497b36e86ee7c4bf3533c33b3a67a6958db8c5 100644 (file)
--- a/print-mobility.c
+++ b/print-mobility.c
@@ -150,6 +150,7 @@ mobility_opt_print(netdissect_options *ndo,
                                goto trunc;
                        }
                        /* units of 4 secs */
+                       ND_TCHECK_16BITS(&bp[i+2]);
                        ND_PRINT((ndo, "(refresh: %u)",
                                EXTRACT_16BITS(&bp[i+2]) << 2));
                        break;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 657196ba23cb4eb6db39330b22b9d53942031628..3e215960d7b4ec5a2793ba182e8537bbb3c642e7 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -524,6 +524,7 @@ pgm_opts_asan_2             pgm_opts_asan_2.pcap            pgm_opts_asan_2.out     -v
 vtp_asan               vtp_asan.pcap                   vtp_asan.out    -v
 icmp6_mobileprefix_asan        icmp6_mobileprefix_asan.pcap    icmp6_mobileprefix_asan.out     -v
 ip_printroute_asan     ip_printroute_asan.pcap         ip_printroute_asan.out  -v
+mobility_opt_asan      mobility_opt_asan.pcap          mobility_opt_asan.out   -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/mobility_opt_asan.out b/tests/mobility_opt_asan.out
new file mode 100644 (file)
index 0000000..91493c2
--- /dev/null
+++ b/tests/mobility_opt_asan.out
@@ -0,0 +1,2 @@
+IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d400:7fa1:0:400::6238:2949 > 9675:86dd:7300:2c:1c7f:ffff:ffc3:b2a1: mobility: BU seq#=116 A lifetime=15872(pad1)[|MOBILITY]
+IP6 (class 0x50, flowlabel 0x00004, hlim 0, next-header Mobile IP (old) (62) payload length: 7168) d4c3:b2a1:200:400::6238:2949 > 9675:86dd:73f0:2c:1c7f:ffff:ebc3:b291: mobility: BU seq#=116 A lifetime=15360[|MOBILITY]
diff --git a/tests/mobility_opt_asan.pcap b/tests/mobility_opt_asan.pcap
new file mode 100644 (file)
index 0000000..d28de32
Binary files /dev/null and b/tests/mobility_opt_asan.pcap differ
[mirror] the TCPdump network dissector