(for 4.9.3) CVE-2018-14464/LMP: Add a missing bounds check

In lmp_print_data_link_subobjs().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-lmp.c b/print-lmp.c
index 2edbb581389bbbfeb3863099d57a5668d7f21feb..ee126a0195b50d43254db78b88977cf59b573c97 100644 (file)
--- a/print-lmp.c
+++ b/print-lmp.c
@@ -399,6 +399,7 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
                        "Unknown",
                        EXTRACT_8BITS(obj_tptr + offset + 3)),
                        EXTRACT_8BITS(obj_tptr + offset + 3)));
+           ND_TCHECK_32BITS(obj_tptr + offset + 4);
            bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
            ND_PRINT((ndo, "\n\t      Min Reservable Bandwidth: %.3f Mbps",
                 bw.f*8/1000000));
@@ -419,6 +420,8 @@ lmp_print_data_link_subobjs(netdissect_options *ndo, const u_char *obj_tptr,
        offset+=subobj_len;
     }
     return (hexdump);
+trunc:
+    return -1;
 }
 
 void
@@ -429,7 +432,7 @@ lmp_print(netdissect_options *ndo,
     const struct lmp_object_header *lmp_obj_header;
     const u_char *tptr,*obj_tptr;
     u_int tlen,lmp_obj_len,lmp_obj_ctype,obj_tlen;
-    int hexdump;
+    int hexdump, ret;
     u_int offset;
     u_int link_type;
 
@@ -731,7 +734,10 @@ lmp_print(netdissect_options *ndo,
                        ipaddr_string(ndo, obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 
@@ -751,7 +757,10 @@ lmp_print(netdissect_options *ndo,
                        ip6addr_string(ndo, obj_tptr+20),
                        EXTRACT_32BITS(obj_tptr+20)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 
@@ -771,7 +780,10 @@ lmp_print(netdissect_options *ndo,
                        EXTRACT_32BITS(obj_tptr+8),
                        EXTRACT_32BITS(obj_tptr+8)));
 
-               if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+               ret = lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12);
+               if (ret == -1)
+                   goto trunc;
+               if (ret == TRUE)
                    hexdump=TRUE;
                break;
 

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 5d379ea4d5a97f43589341e4f53b417fe7ac6321..6ea71af1b4b2d49150b607da81b689f8920b7760 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -560,6 +560,7 @@ vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
 vrrp-vrrp_print-oobr-2 vrrp-vrrp_print-oobr-2.pcap vrrp-vrrp_print-oobr-2.out -v
 bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
 bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
+lmp-lmp_print_data_link_subobjs-oobr lmp-lmp_print_data_link_subobjs-oobr.pcap lmp-lmp_print_data_link_subobjs-oobr.out -v -c2
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr   hncp_dhcpv6data-oobr.pcap       hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr   hncp_dhcpv4data-oobr.pcap       hncp_dhcpv4data-oobr.out -v -c1

diff --git a/tests/lmp-lmp_print_data_link_subobjs-oobr.out b/tests/lmp-lmp_print_data_link_subobjs-oobr.out
new file mode 100644 (file)
index 0000000..6709b26
--- /dev/null
+++ b/tests/lmp-lmp_print_data_link_subobjs-oobr.out
@@ -0,0 +1,22 @@
+IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
+    17.8.8.255.701 > 40.184.42.8.12: 
+       LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
+         Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
+           Flags: [none]
+           Local Interface ID: 2435832538 (0x912fdada)
+           Remote Interface ID: 3657433088 (0xda000000)
+           Subobject, Type: Interface Switching Type (1), Length: 4
+             Switching Type: Unknown (0)
+             Encoding Type: Unknown (0)
+                packet exceeded snapshot
+IP (tos 0xfd,ECT(1), ttl 254, id 45839, offset 0, flags [+, DF, rsvd], proto UDP (17), length 56871, bad cksum fe07 (->ddf0)!)
+    17.8.8.255.701 > 40.184.42.8.12: 
+       LMPv1, msg-type: unknown, type: 249, Flags: [none], length: 212
+         Data Link Object (12), Class-Type: Unnumbered (3) Flags: [non-negotiable], length: 20
+           Flags: [none]
+           Local Interface ID: 2435832538 (0x912fdada)
+           Remote Interface ID: 3657433088 (0xda000000)
+           Subobject, Type: Interface Switching Type (1), Length: 4
+             Switching Type: Unknown (0)
+             Encoding Type: Unknown (0)
+                packet exceeded snapshot

diff --git a/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap b/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap
new file mode 100644 (file)
index 0000000..d1a6ad9
Binary files /dev/null and b/tests/lmp-lmp_print_data_link_subobjs-oobr.pcap differ