CVE-2017-11542/PIMv1: Add a bounds check.

This fixes a buffer over-read discovered by Kamil Frankowicz.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-pim.c b/print-pim.c
index 255259537494b3db0800f15b7980ede4f0aa2f74..ed880ae72db09c7efa77a216538f17be089b1bd7 100644 (file)
--- a/print-pim.c
+++ b/print-pim.c
@@ -306,6 +306,7 @@ pimv1_print(netdissect_options *ndo,
                        pimv1_join_prune_print(ndo, &bp[8], len - 8);
                break;
        }
+       ND_TCHECK(bp[4]);
        if ((bp[4] >> 4) != 1)
                ND_PRINT((ndo, " [v%d]", bp[4] >> 4));
        return;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 74acd65593af92ce3beb69d42ef408cd123bb5d8..dfb32c9ad3225b5d013f93ef9bf118507ca5c611 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -439,6 +439,7 @@ snmp-heapoverflow-2 snmp-heapoverflow-2.pcap        snmp-heapoverflow-2.out
 isoclns-heapoverflow-2 isoclns-heapoverflow-2.pcap     isoclns-heapoverflow-2.out      -e -c1
 isoclns-heapoverflow-3 isoclns-heapoverflow-3.pcap     isoclns-heapoverflow-3.out      -e -c1
 stp-v4-length-sigsegv  stp-v4-length-sigsegv.pcap      stp-v4-length-sigsegv.out
+hoobr_pimv1            hoobr_pimv1.pcap                hoobr_pimv1.out
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/hoobr_pimv1.out b/tests/hoobr_pimv1.out
new file mode 100644 (file)
index 0000000..acb120b
--- /dev/null
+++ b/tests/hoobr_pimv1.out
@@ -0,0 +1,25 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030 3030 3030                      00000000
+IP 48.48.48.48 > 48.48.48.48: igmp pimv1 [type 48][|pim]

diff --git a/tests/hoobr_pimv1.pcap b/tests/hoobr_pimv1.pcap
new file mode 100644 (file)
index 0000000..d9121fa
Binary files /dev/null and b/tests/hoobr_pimv1.pcap differ