]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 39582c0)
CVE-2017-13044/HNCP: add DHCPv4-Data bounds checks
authorDenis Ovsienko <[email protected]>
Sat, 29 Jul 2017 20:45:35 +0000 (21:45 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
dhcpv4_print() in print-hncp.c had the same bug as dhcpv6_print(), apply
a fix along the same lines.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-hncp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/hncp_dhcpv4data-oobr.out [new file with mode: 0644] patch | blob
tests/hncp_dhcpv4data-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-hncp.c b/print-hncp.c
index d0c9a3ea633416cc3557c04a8815499019ef8eae..c0e0064481c44debca94b2cfd70eabbe54cfa227 100644 (file)
--- a/print-hncp.c
+++ b/print-hncp.c
@@ -270,6 +270,8 @@ dhcpv4_print(netdissect_options *ndo,
 
     i = 0;
     while (i < length) {
+        if (i + 2 > length)
+            return -1;
         tlv = cp + i;
         type = (uint8_t)tlv[0];
         optlen = (uint8_t)tlv[1];
@@ -281,6 +283,8 @@ dhcpv4_print(netdissect_options *ndo,
 
         ND_PRINT((ndo, "%s", tok2str(dh4opt_str, "Unknown", type)));
         ND_PRINT((ndo," (%u)", optlen + 2 ));
+        if (i + 2 + optlen > length)
+            return -1;
 
         switch (type) {
         case DH4OPT_DNS_SERVERS:
diff --git a/tests/TESTLIST b/tests/TESTLIST
index c72f7de6f1ed6ac2bf03acdd857a3c967d5638b2..b42ba5b1490d9a98e531c44cdbf2afa67b8a65d7 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -560,6 +560,8 @@ isakmpv1-attr-oobr  isakmpv1-attr-oobr.pcap         isakmpv1-attr-oobr.out  -v
 # code path and will not test the vulnerability unless modified respectively.
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr   hncp_dhcpv6data-oobr.pcap       hncp_dhcpv6data-oobr.out -v -c1
+# Same comments apply to the case below.
+hncp_dhcpv4data-oobr   hncp_dhcpv4data-oobr.pcap       hncp_dhcpv4data-oobr.out -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out
diff --git a/tests/hncp_dhcpv4data-oobr.out b/tests/hncp_dhcpv4data-oobr.out
new file mode 100644 (file)
index 0000000..7d558dd
--- /dev/null
+++ b/tests/hncp_dhcpv4data-oobr.out
@@ -0,0 +1,4 @@
+IP truncated-ip - 260 bytes missing! (tos 0x12,ECT(0), ttl 48, id 21323, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 8e0f (->cd08)!)
+    1.2.7.0.1812 > 128.253.0.96.8231: hncp (268)
+       DHCPv4-Data (6)
+               DNS-server (98) (invalid)
diff --git a/tests/hncp_dhcpv4data-oobr.pcap b/tests/hncp_dhcpv4data-oobr.pcap
new file mode 100644 (file)
index 0000000..fb7c776
Binary files /dev/null and b/tests/hncp_dhcpv4data-oobr.pcap differ
[mirror] the TCPdump network dissector