CVE-2017-13014/White Board: Do more bounds checks.

This fixes a buffer over-read discovered by Yannick Formaggio.

Add a test using the capture file supplied by the reporter(s).

While we're at it, print a truncation error if the packets are
truncated, rather than just, in effect, ignoring the result of the
routines that print particular packet types.

diff --git a/print-wb.c b/print-wb.c
index 88857d9618d742d7b9bfe1a979fd19d0d65449e0..c0df48d747185e9d82699cf12299ba761a17a9a7 100644 (file)
--- a/print-wb.c
+++ b/print-wb.c
@@ -263,9 +263,8 @@ wb_prep(netdissect_options *ndo,
        const u_char *ep = ndo->ndo_snapend;
 
        ND_PRINT((ndo, " wb-prep:"));
        const u_char *ep = ndo->ndo_snapend;
 
        ND_PRINT((ndo, " wb-prep:"));

-       if (len < sizeof(*prep)) {
+       if (len < sizeof(*prep) || !ND_TTEST(*prep))

                return (-1);
                return (-1);

-       }

        n = EXTRACT_32BITS(&prep->pp_n);
        ps = (const struct pgstate *)(prep + 1);
        while (--n >= 0 && ND_TTEST(*ps)) {
        n = EXTRACT_32BITS(&prep->pp_n);
        ps = (const struct pgstate *)(prep + 1);
        while (--n >= 0 && ND_TTEST(*ps)) {


@@ -419,31 +418,37 @@ wb_print(netdissect_options *ndo,
        case PT_ID:
                if (wb_id(ndo, (const struct pkt_id *)(ph + 1), len) >= 0)
                        return;
        case PT_ID:
                if (wb_id(ndo, (const struct pkt_id *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        case PT_RREQ:
                if (wb_rreq(ndo, (const struct pkt_rreq *)(ph + 1), len) >= 0)
                        return;
                break;
 
        case PT_RREQ:
                if (wb_rreq(ndo, (const struct pkt_rreq *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        case PT_RREP:
                if (wb_rrep(ndo, (const struct pkt_rrep *)(ph + 1), len) >= 0)
                        return;
                break;
 
        case PT_RREP:
                if (wb_rrep(ndo, (const struct pkt_rrep *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        case PT_DRAWOP:
                if (wb_drawop(ndo, (const struct pkt_dop *)(ph + 1), len) >= 0)
                        return;
                break;
 
        case PT_DRAWOP:
                if (wb_drawop(ndo, (const struct pkt_dop *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        case PT_PREQ:
                if (wb_preq(ndo, (const struct pkt_preq *)(ph + 1), len) >= 0)
                        return;
                break;
 
        case PT_PREQ:
                if (wb_preq(ndo, (const struct pkt_preq *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        case PT_PREP:
                if (wb_prep(ndo, (const struct pkt_prep *)(ph + 1), len) >= 0)
                        return;
                break;
 
        case PT_PREP:
                if (wb_prep(ndo, (const struct pkt_prep *)(ph + 1), len) >= 0)
                        return;

+               ND_PRINT((ndo, "%s", tstr));

                break;
 
        default:
                break;
 
        default:

diff --git a/tests/TESTLIST b/tests/TESTLIST
index d69e940513ddeb968bc9f8ae68d6a492165248a6..b16737cf6ae73a0bf1360313fdd91b7ed3ce2ca1 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -506,6 +506,7 @@ juniper_es          juniper_es.pcap                 juniper_es.out  -vvv -e
 # bad packets from Yannick Formaggio
 l2tp-avp-overflow      l2tp-avp-overflow.pcap          l2tp-avp-overflow.out   -v
 pktap-heap-overflow    pktap-heap-overflow.pcap        pktap-heap-overflow.out -v
 # bad packets from Yannick Formaggio
 l2tp-avp-overflow      l2tp-avp-overflow.pcap          l2tp-avp-overflow.out   -v
 pktap-heap-overflow    pktap-heap-overflow.pcap        pktap-heap-overflow.out -v

+wb-oobr                        wb-oobr.pcap                    wb-oobr.out     -v

 
 # bad packets from Bhargava Shastry
 lldp_asan              lldp_asan.pcap                  lldp_asan.out   -v
 
 # bad packets from Bhargava Shastry
 lldp_asan              lldp_asan.pcap                  lldp_asan.out   -v

diff --git a/tests/wb-oobr.out b/tests/wb-oobr.out
new file mode 100644 (file)
index 0000000..9f00e37
--- /dev/null
+++ b/tests/wb-oobr.out
@@ -0,0 +1,18 @@
+MPLS (label 197376, exp 7, [S], ttl 48)
+       IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
+    48.4.4.4.4400 > 127.0.0.1.3503: 
+                packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.3503 > 48.48.48.48.4567: * wb-prep:[|wb]
+MPLS (label 197376, exp 7, [S], ttl 48)
+       IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->699d)!)
+    48.48.48.48.4400 > 48.48.48.48.3503: 
+                packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
+    48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]
+MPLS (label 197376, exp 7, [S], ttl 48)
+       IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->7754)!)
+    48.4.4.4.4400 > 127.0.0.1.3503: 
+                packet exceeded snapshot
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto UDP (17), length 12336, bad cksum 3030 (->c624)!)
+    48.48.0.1.3503 > 48.4.4.4.4567: * wb-prep:[|wb]

diff --git a/tests/wb-oobr.pcap b/tests/wb-oobr.pcap
new file mode 100644 (file)
index 0000000..577b1a0
Binary files /dev/null and b/tests/wb-oobr.pcap differ