(for 4.9.3) CVE-2018-14882/ICMP6 RPL: Add a missing bounds check

Moreover:
Add and use *_tstr[] strings.
Update four tests outputs accordingly.
Fix a space.

Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.

diff --git a/print-icmp6.c b/print-icmp6.c
index b3b975e74f142eea11912c0b2e303ebd9e328803..5cef0efabd5fe78fd0ef92b218eb518f24fcf597 100644 (file)
--- a/print-icmp6.c
+++ b/print-icmp6.c
@@ -41,6 +41,10 @@
 #include "udp.h"
 #include "ah.h"
 
+static const char icmp6_tstr[] = " [|icmp6]";
+static const char rpl_tstr[] = " [|rpl]";
+static const char mldv2_tstr[] = " [|mldv2]";
+
 /*     NetBSD: icmp6.h,v 1.13 2000/08/03 16:30:37 itojun Exp   */
 /*     $KAME: icmp6.h,v 1.22 2000/08/03 15:25:16 jinmei Exp $  */
 
@@ -683,10 +687,11 @@ rpl_dio_printopt(netdissect_options *ndo,
                 }
                 opt = (const struct rpl_dio_genoption *)(((const char *)opt) + optlen);
                 length -= optlen;
+                ND_TCHECK(opt->rpl_dio_len);
         }
         return;
 trunc:
-       ND_PRINT((ndo," [|truncated]"));
+       ND_PRINT((ndo, "%s", rpl_tstr));
        return;
 }
 
@@ -715,7 +720,7 @@ rpl_dio_print(netdissect_options *ndo,
         }
        return;
 trunc:
-       ND_PRINT((ndo," [|truncated]"));
+       ND_PRINT((ndo, "%s", rpl_tstr));
        return;
 }
 
@@ -756,7 +761,7 @@ rpl_dao_print(netdissect_options *ndo,
        return;
 
 trunc:
-       ND_PRINT((ndo," [|truncated]"));
+       ND_PRINT((ndo, "%s", rpl_tstr));
        return;
 
 tooshort:
@@ -800,7 +805,7 @@ rpl_daoack_print(netdissect_options *ndo,
        return;
 
 trunc:
-       ND_PRINT((ndo," [|dao-truncated]"));
+       ND_PRINT((ndo, "%s", rpl_tstr));
        return;
 
 tooshort:
@@ -859,7 +864,7 @@ rpl_print(netdissect_options *ndo,
 
 #if 0
 trunc:
-       ND_PRINT((ndo," [|truncated]"));
+       ND_PRINT((ndo, "%s", rpl_tstr));
        return;
 #endif
 
@@ -1157,7 +1162,7 @@ icmp6_print(netdissect_options *ndo,
                 ND_PRINT((ndo,", length %u", length));
        return;
 trunc:
-       ND_PRINT((ndo, "[|icmp6]"));
+       ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static const struct udphdr *
@@ -1381,8 +1386,8 @@ icmp6_opt_print(netdissect_options *ndo, const u_char *bp, int resid)
        }
        return;
 
- trunc:
-       ND_PRINT((ndo, "[ndp opt]"));
+trunc:
+       ND_PRINT((ndo, "%s", icmp6_tstr));
        return;
 #undef ECHECK
 }
@@ -1457,7 +1462,7 @@ mldv2_report_print(netdissect_options *ndo, const u_char *bp, u_int len)
     }
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1523,7 +1528,7 @@ mldv2_query_print(netdissect_options *ndo, const u_char *bp, u_int len)
     ND_PRINT((ndo,"]"));
     return;
 trunc:
-    ND_PRINT((ndo,"[|icmp6]"));
+    ND_PRINT((ndo, "%s", mldv2_tstr));
     return;
 }
 
@@ -1810,7 +1815,7 @@ icmp6_nodeinfo_print(netdissect_options *ndo, u_int icmp6len, const u_char *bp,
        return;
 
 trunc:
-       ND_PRINT((ndo, "[|icmp6]"));
+       ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 static void
@@ -1945,7 +1950,7 @@ icmp6_rrenum_print(netdissect_options *ndo, const u_char *bp, const u_char *ep)
        return;
 
 trunc:
-       ND_PRINT((ndo,"[|icmp6]"));
+       ND_PRINT((ndo, "%s", icmp6_tstr));
 }
 
 /*

diff --git a/tests/TESTLIST b/tests/TESTLIST
index a0bdabc39d09b1f29c8899d7a386c30d84c00699..9d96d29efb8007d64b0019e259650a33bfd86b71 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -598,6 +598,7 @@ babel_update_oobr   babel_update_oobr.pcap  babel_update_oobr.out   -c 52
 
 # bad packets from Junjie Wang
 ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng   ospf6_print_lshdr-oobr.out      -vv -c15
+rpl-dao-oobr           rpl-dao-oobr.pcapng             rpl-dao-oobr.out                -vv -c1
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/icmp6_mobileprefix_asan.out b/tests/icmp6_mobileprefix_asan.out
index 0e0d97c3418e7414456465005a8f18001bf5a90c..889b1c8e34e320e88064a56f71209bdcbbcaa7f7 100644 (file)
--- a/tests/icmp6_mobileprefix_asan.out
+++ b/tests/icmp6_mobileprefix_asan.out
@@ -1,2 +1,2 @@
-IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393[|icmp6]
+IP6 (class 0x50, flowlabel 0x0002c, hlim 0, next-header ICMPv6 (58) payload length: 7168) 4f:f829:c:1a1a:1a1a:1a1a:1a37:0 > 16:0:400:0:64fb:9303:f293:8200: ICMP6, mobile router advertisement, length 7168, id 0x9393 [|icmp6]
 [|ether]

diff --git a/tests/icmp6_nodeinfo_oobr.out b/tests/icmp6_nodeinfo_oobr.out
index 0856ea2f01d389676d7bebcdb6d59b8de7681aac..19db749f930dd70768c08958364358a30da7df3e 100644 (file)
--- a/tests/icmp6_nodeinfo_oobr.out
+++ b/tests/icmp6_nodeinfo_oobr.out
@@ -1 +1 @@
-IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply[|icmp6], length 4
+IP6 a072:7f00:1:7f00:1:e01a:17:6785 > c903::a002:8018:fe30:0:204: ICMP6, who-are-you reply [|icmp6], length 4

diff --git a/tests/rpl-19-pickdag.out b/tests/rpl-19-pickdag.out
index d3c41eedeccf18970e73e502eaefc1359b71ffa3..08899db02451617aa5bdbd2e708b1bf0c547ba22 100644 (file)
--- a/tests/rpl-19-pickdag.out
+++ b/tests/rpl-19-pickdag.out
@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

diff --git a/tests/rpl-19-pickdagvvv.out b/tests/rpl-19-pickdagvvv.out
index deee0331519878d7c39b0716edad17e5cc7a26fa..3db38343c9960462e48f032a5beed2070d72b758 100644 (file)
--- a/tests/rpl-19-pickdagvvv.out
+++ b/tests/rpl-19-pickdagvvv.out
@@ -1 +1 @@
-IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: [icmp6 sum ok] ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:5431::,seq:10,instance:42,Dagid,40] opt:rpltarget len:25  0x0000:  0080 2001 0db8 0001 0000 0216 3eff fe11 0x0010:  3424 0000 0000 00 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 opt:pad0 [|rpl]

diff --git a/tests/rpl-dao-oobr.out b/tests/rpl-dao-oobr.out
new file mode 100644 (file)
index 0000000..e410ee1
--- /dev/null
+++ b/tests/rpl-dao-oobr.out
@@ -0,0 +1 @@
+IP6 (hlim 64, next-header ICMPv6 (58) payload length: 56) fe80::216:3eff:fe11:3424 > fe80::216:3eff:fe11:3424: ICMP6, RPL, (CLR)Destination Advertisement Object [dagid:<elided>,seq:0,instance:42,00] opt:subopt:13 len:2  opt:subopt:128 len:15  opt:subopt:13 len:15  [|rpl]

diff --git a/tests/rpl-dao-oobr.pcapng b/tests/rpl-dao-oobr.pcapng
new file mode 100644 (file)
index 0000000..39e95a7
Binary files /dev/null and b/tests/rpl-dao-oobr.pcapng differ