CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs.

Always print the SNPA, and flag it as such; only print it as a MAC
address if it's 6 bytes long.

Identify the NET as such.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add tests using the capture files supplied by the reporter(s), modified
so the capture files won't be rejected as an invalid capture.

diff --git a/addrtoname.h b/addrtoname.h
index 72e5ef19d54921ad5c9e9772b75853375270a3a0..fe8b6bbe54510316c129fc340a0e1fb9a05a6872 100644 (file)
--- a/addrtoname.h
+++ b/addrtoname.h
@@ -33,7 +33,8 @@ enum {
     LINKADDR_ETHER,
     LINKADDR_FRELAY,
     LINKADDR_IEEE1394,
-    LINKADDR_ATM
+    LINKADDR_ATM,
+    LINKADDR_OTHER
 };
 
 #define BUFSIZE 128

diff --git a/print-isoclns.c b/print-isoclns.c
index 1f871603a4babf241ae29cc0ca086e32515762c2..38c24d95931ecd8ada25091538cae52efc994154 100644 (file)
--- a/print-isoclns.c
+++ b/print-isoclns.c
@@ -1217,10 +1217,18 @@ esis_print(netdissect_options *ndo,
                pptr += netal;
                 li -= netal;
 
-               if (netal == 0)
-                       ND_PRINT((ndo, "\n\t  %s", etheraddr_string(ndo, snpa)));
+               if (snpal == 6)
+                       ND_PRINT((ndo, "\n\t  SNPA (length: %u): %s",
+                              snpal,
+                              etheraddr_string(ndo, snpa)));
                else
-                       ND_PRINT((ndo, "\n\t  %s", isonsap_string(ndo, neta, netal)));
+                       ND_PRINT((ndo, "\n\t  SNPA (length: %u): %s",
+                              snpal,
+                              linkaddr_string(ndo, snpa, LINKADDR_OTHER, snpal)));
+               if (netal != 0)
+                       ND_PRINT((ndo, "\n\t  NET (length: %u) %s",
+                              netal,
+                              isonsap_string(ndo, neta, netal)));
                break;
        }
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
index a20e59898f771ee1a8ff9c47a2a8de0bf657fe27..a56c3c9500501bbf29867f72a9bea4e2ba77a705 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -513,6 +513,11 @@ lldp_asan          lldp_asan.pcap                  lldp_asan.out   -v
 extract_read2_asan     extract_read2_asan.pcap         extract_read2_asan.out  -v
 getname_2_read4_asan   getname_2_read4_asan.pcap       getname_2_read4_asan.out        -v
 eap_extract_read2_asan eap_extract_read2_asan.pcap     eap_extract_read2_asan.out      -v
+esis_snpa_asan         esis_snpa_asan.pcap             esis_snpa_asan.out      -v
+esis_snpa_asan-2       esis_snpa_asan-2.pcap           esis_snpa_asan-2.out    -v
+esis_snpa_asan-3       esis_snpa_asan-3.pcap           esis_snpa_asan-3.out    -v
+esis_snpa_asan-4       esis_snpa_asan-4.pcap           esis_snpa_asan-4.out    -v
+esis_snpa_asan-5       esis_snpa_asan-5.pcap           esis_snpa_asan-5.out    -v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/esis_snpa_asan-2.out b/tests/esis_snpa_asan-2.out
new file mode 100644 (file)
index 0000000..0e1dd70
--- /dev/null
+++ b/tests/esis_snpa_asan-2.out
@@ -0,0 +1,4 @@
+UI 22! ES-IS, length 65565
+       redirect (6), v: 1, checksum: 0x70a1 (incorrect should be 0xf519), holding time: 22339s, length indicator: 17
+         00.22
+         SNPA (length: 0): <empty>, opt (0) too long

diff --git a/tests/esis_snpa_asan-2.pcap b/tests/esis_snpa_asan-2.pcap
new file mode 100644 (file)
index 0000000..5c59fa7
Binary files /dev/null and b/tests/esis_snpa_asan-2.pcap differ

diff --git a/tests/esis_snpa_asan-3.out b/tests/esis_snpa_asan-3.out
new file mode 100644 (file)
index 0000000..5e6a14d
--- /dev/null
+++ b/tests/esis_snpa_asan-3.out
@@ -0,0 +1,7 @@
+UI 22! ES-IS, length 65565
+       unknown type: 0 (0), v: 1, checksum: 0x00a1 (incorrect should be 0x859d), holding time: 0s, length indicator: 17
+         0x0000:  0200 04ec ff00 0000
+UI 22! ES-IS, length 2650865693
+       redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17
+         ec.ff00.00
+         SNPA (length: 0): <empty>

diff --git a/tests/esis_snpa_asan-3.pcap b/tests/esis_snpa_asan-3.pcap
new file mode 100644 (file)
index 0000000..812f542
Binary files /dev/null and b/tests/esis_snpa_asan-3.pcap differ

diff --git a/tests/esis_snpa_asan-4.out b/tests/esis_snpa_asan-4.out
new file mode 100644 (file)
index 0000000..249b248
--- /dev/null
+++ b/tests/esis_snpa_asan-4.out
@@ -0,0 +1,21 @@
+UI 22! ES-IS, length 65565
+       ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
+         Number of Source Addresses: 2
+         NET (length: 0): isonsap_string: illegal length
+         NET (length: 4): ec.ff00.00, bad opts/li
+UI 22! ES-IS, length 65565
+       redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16
+         02.0400
+         SNPA (length: 0): <empty>
+         Unknown Option #0, length 0, value: 
+UI 32! ES-IS, length 65565
+       ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
+         Number of Source Addresses: 2
+         NET (length: 0): isonsap_string: illegal length
+         NET (length: 4): ec.ff00.00, bad opts/li
+UI 22! ES-IS, length 4244701213
+       redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17
+         isonsap_string: illegal length
+         SNPA (length: 0): <empty>
+         NET (length: 4) 00.0000.00
+Q.922, invalid address

diff --git a/tests/esis_snpa_asan-4.pcap b/tests/esis_snpa_asan-4.pcap
new file mode 100644 (file)
index 0000000..9cdfe03
Binary files /dev/null and b/tests/esis_snpa_asan-4.pcap differ

diff --git a/tests/esis_snpa_asan-5.out b/tests/esis_snpa_asan-5.out
new file mode 100644 (file)
index 0000000..bd8c30d
--- /dev/null
+++ b/tests/esis_snpa_asan-5.out
@@ -0,0 +1,10 @@
+UI 22! ES-IS, length 65565
+       ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfc4c), holding time: 21315s, length indicator: 17
+         Number of Source Addresses: 3
+         NET (length: 0): isonsap_string: illegal length
+         NET (length: 4): ec.ff00.00
+         NET (length: 0): isonsap_string: illegal length
+UI 22! ES-IS, length 65565
+       redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17
+         04
+         SNPA (length: 4): 00:00:00:00, bad opts/li

diff --git a/tests/esis_snpa_asan-5.pcap b/tests/esis_snpa_asan-5.pcap
new file mode 100644 (file)
index 0000000..98e34f1
Binary files /dev/null and b/tests/esis_snpa_asan-5.pcap differ

diff --git a/tests/esis_snpa_asan.out b/tests/esis_snpa_asan.out
new file mode 100644 (file)
index 0000000..82732ca
--- /dev/null
+++ b/tests/esis_snpa_asan.out
@@ -0,0 +1,12 @@
+UI 22! ES-IS, length 65565
+       ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17
+         Number of Source Addresses: 2
+         NET (length: 0): isonsap_string: illegal length
+         NET (length: 4): ec.ff00.00, bad opts/li
+UI 22! ES-IS, length 65565
+       redirect (6), v: 1, checksum: 0xffff (incorrect should be 0x6b16), holding time: 21253s, length indicator: 17
+         00.04ec.0000
+         SNPA (length: 0): <empty>, bad opts/li
+Q.922, hdr-len 2, DLCI 0, Flags [FECN], NLPID unknown (0x22), length 72482: 
+       0x0000:  0082 1000 5542 5343 70a1 0200 0400 0000  ....UBSCp.......
+       0x0010:  007e                                     .~

diff --git a/tests/esis_snpa_asan.pcap b/tests/esis_snpa_asan.pcap
new file mode 100644 (file)
index 0000000..b573467
Binary files /dev/null and b/tests/esis_snpa_asan.pcap differ