]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 19d25dd)
CVE-2017-12899/DECnet: Fix bounds checking.
authorGuy Harris <[email protected]>
Fri, 3 Feb 2017 23:52:24 +0000 (15:52 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
If we're skipping over padding before the *real* flags, check whether
the real flags are in the captured data before fetching it.  This fixes
a buffer over-read discovered by Kamil Frankowicz.

Note one place where we don't need to do bounds checking as it's already
been done.

Add a test using the capture file supplied by the reporter(s).

print-decnet.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/decnet-oobr.out [new file with mode: 0644] patch | blob
tests/decnet-oobr.pcap [new file with mode: 0644] patch | blob

diff --git a/print-decnet.c b/print-decnet.c
index 88aa9e3efe757911b98336c258c806b320a05edb..de7de2758ee73192769a06e9edf64cce3ebca65c 100644 (file)
--- a/print-decnet.c
+++ b/print-decnet.c
@@ -542,6 +542,7 @@ decnet_print(netdissect_options *ndo,
            length -= padlen;
            caplen -= padlen;
            rhp = (const union routehdr *)&(ap[sizeof(short)]);
+           ND_TCHECK(rhp->rh_short.sh_flags);
            mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags);
        }
 
@@ -613,6 +614,7 @@ print_decnet_ctlmsg(netdissect_options *ndo,
                     register const union routehdr *rhp, u_int length,
                     u_int caplen)
 {
+       /* Our caller has already checked for mflags */
        int mflags = EXTRACT_LE_8BITS(rhp->rh_short.sh_flags);
        register const union controlmsg *cmp = (const union controlmsg *)rhp;
        int src, dst, info, blksize, eco, ueco, hello, other, vers;
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 248c5397366c9684758d9f2a489a2e1e39a28c05..5e3ea8d51a7194056b3cc238c846976982a11ae4 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -444,6 +444,7 @@ hoobr_safeputs              hoobr_safeputs.pcap             hoobr_safeputs.out
 isakmp-rfc3948-oobr    isakmp-rfc3948-oobr.pcap        isakmp-rfc3948-oobr.out
 isoclns-oobr           isoclns-oobr.pcap               isoclns-oobr.out
 nfs-attr-oobr          nfs-attr-oobr.pcap              nfs-attr-oobr.out
+decnet-oobr            decnet-oobr.pcap                decnet-oobr.out
 
 # bad packets from Wilfried Kirsch
 slip-bad-direction     slip-bad-direction.pcap         slip-bad-direction.out  -ve
diff --git a/tests/decnet-oobr.out b/tests/decnet-oobr.out
new file mode 100644 (file)
index 0000000..c296076
--- /dev/null
+++ b/tests/decnet-oobr.out
@@ -0,0 +1,4 @@
+30:30:30:30:30:30 > 30:30:30:30:30:30, ethertype Unknown (0x3030), length 808464432: 
+       0x0000:  3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
+       0x0010:  3030 3030                                0000
+MEDSA 16.6:48: [|decnet]
diff --git a/tests/decnet-oobr.pcap b/tests/decnet-oobr.pcap
new file mode 100644 (file)
index 0000000..7c09c1e
Binary files /dev/null and b/tests/decnet-oobr.pcap differ
[mirror] the TCPdump network dissector