]> The Tcpdump Group git mirrors - tcpdump/commitdiff
CVE-2017-13007/PKTAP: Pass a properly updated struct pcap_pkthdr to the sub-dissector.
authorGuy Harris <[email protected]>
Mon, 6 Mar 2017 04:21:48 +0000 (20:21 -0800)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
The sub-dissector expects that the length and captured length will
reflect the actual remaining data in the packet, not the raw amount
including the PKTAP header; pass an updated header, just as we do for
PPI.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

print-pktap.c
tests/TESTLIST
tests/pktap-heap-overflow.out [new file with mode: 0644]
tests/pktap-heap-overflow.pcap [new file with mode: 0644]

index 7144f3c6e9657b851ad4f302c94ecf56f48467bf..4a295fdf6328582d5bf2f25ceb48324d05272eb3 100644 (file)
@@ -104,6 +104,7 @@ pktap_if_print(netdissect_options *ndo,
        u_int length = h->len;
        if_printer printer;
        const pktap_header_t *hdr;
+       struct pcap_pkthdr nhdr;
 
        if (caplen < sizeof(pktap_header_t) || length < sizeof(pktap_header_t)) {
                ND_PRINT((ndo, "[|pktap]"));
@@ -144,7 +145,10 @@ pktap_if_print(netdissect_options *ndo,
 
        case PKT_REC_PACKET:
                if ((printer = lookup_printer(dlt)) != NULL) {
-                       hdrlen += printer(ndo, h, p);
+                       nhdr = *h;
+                       nhdr.caplen = caplen;
+                       nhdr.len = length;
+                       hdrlen += printer(ndo, &nhdr, p);
                } else {
                        if (!ndo->ndo_eflag)
                                pktap_header_print(ndo, (const u_char *)hdr,
index f9ae40dda945bc0d53dbd672400938d5c2e9cc3c..5f18a05745379bd4b105883c914b4b04488e2b28 100644 (file)
@@ -502,6 +502,7 @@ juniper_es          juniper_es.pcap                 juniper_es.out  -vvv -e
 
 # bad packets from Yannick Formaggio
 l2tp-avp-overflow      l2tp-avp-overflow.pcap          l2tp-avp-overflow.out   -v
+pktap-heap-overflow    pktap-heap-overflow.pcap        pktap-heap-overflow.out -v
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/pktap-heap-overflow.out b/tests/pktap-heap-overflow.out
new file mode 100644 (file)
index 0000000..e23ed91
--- /dev/null
@@ -0,0 +1,3 @@
+[|pktap]
+[|ppp]
+EXIT CODE 00000100
diff --git a/tests/pktap-heap-overflow.pcap b/tests/pktap-heap-overflow.pcap
new file mode 100644 (file)
index 0000000..e8b0f21
Binary files /dev/null and b/tests/pktap-heap-overflow.pcap differ