]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6b8ed96)
CVE-2016-7924/Add some bounds checks.
authorGuy Harris <[email protected]>
Fri, 3 Jul 2015 23:39:25 +0000 (16:39 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:36 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

Also, get rid of the return value for oam_print(), as it's not used and
not useful.

netdissect.h patch | blob | history
print-atm.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/atm-oam-heapoverflow.out [new file with mode: 0644] patch | blob
tests/atm-oam-heapoverflow.pcap [new file with mode: 0644] patch | blob

diff --git a/netdissect.h b/netdissect.h
index a855e87a863da0f61fbc51e37f5ffbf408207f56..3bba2cb1af85d64b1a0fa4a86911e98df37affeb 100644 (file)
--- a/netdissect.h
+++ b/netdissect.h
@@ -565,7 +565,7 @@ extern const u_char * ns_nprint (netdissect_options *, register const u_char *,
 extern void ns_print(netdissect_options *, const u_char *, u_int, int);
 extern void nsh_print(netdissect_options *ndo, const u_char *bp, u_int len);
 extern void ntp_print(netdissect_options *, const u_char *, u_int);
-extern int oam_print(netdissect_options *, const u_char *, u_int, u_int);
+extern void oam_print(netdissect_options *, const u_char *, u_int, u_int);
 extern void olsr_print(netdissect_options *, const u_char *, u_int, int);
 extern void openflow_print(netdissect_options *, const u_char *, const u_int);
 extern void ospf6_print(netdissect_options *, const u_char *, u_int);
diff --git a/print-atm.c b/print-atm.c
index 5d3d3394d73eee355d75fbc67a000296daed9cbd..058541c2128ed1dd1195be57d640e6f38d748933 100644 (file)
--- a/print-atm.c
+++ b/print-atm.c
@@ -448,7 +448,7 @@ struct oam_fm_ais_rdi_t {
     uint8_t unused[28];
 };
 
-int
+void
 oam_print (netdissect_options *ndo,
            const u_char *p, u_int length, u_int hec)
 {
@@ -462,6 +462,7 @@ oam_print (netdissect_options *ndo,
     } oam_ptr;
 
 
+    ND_TCHECK(*(p+ATM_HDR_LEN_NOHEC+hec));
     cell_header = EXTRACT_32BITS(p+hec);
     cell_type = ((*(p+ATM_HDR_LEN_NOHEC+hec))>>4) & 0x0f;
     func_type = (*(p+ATM_HDR_LEN_NOHEC+hec)) & 0x0f;
@@ -478,7 +479,7 @@ oam_print (netdissect_options *ndo,
            clp, length));
 
     if (!ndo->ndo_vflag) {
-        return 1;
+        return;
     }
 
     ND_PRINT((ndo, "\n\tcell-type %s (%u)",
@@ -497,6 +498,7 @@ oam_print (netdissect_options *ndo,
     switch (cell_type << 4 | func_type) {
     case (OAM_CELLTYPE_FM << 4 | OAM_FM_FUNCTYPE_LOOPBACK):
         oam_ptr.oam_fm_loopback = (const struct oam_fm_loopback_t *)(p + OAM_CELLTYPE_FUNCTYPE_LEN);
+        ND_TCHECK(*oam_ptr.oam_fm_loopback);
         ND_PRINT((ndo, "\n\tLoopback-Indicator %s, Correlation-Tag 0x%08x",
                tok2str(oam_fm_loopback_indicator_values,
                        "Unknown",
@@ -519,6 +521,7 @@ oam_print (netdissect_options *ndo,
     case (OAM_CELLTYPE_FM << 4 | OAM_FM_FUNCTYPE_AIS):
     case (OAM_CELLTYPE_FM << 4 | OAM_FM_FUNCTYPE_RDI):
         oam_ptr.oam_fm_ais_rdi = (const struct oam_fm_ais_rdi_t *)(p + OAM_CELLTYPE_FUNCTYPE_LEN);
+        ND_TCHECK(*oam_ptr.oam_fm_ais_rdi);
         ND_PRINT((ndo, "\n\tFailure-type 0x%02x", oam_ptr.oam_fm_ais_rdi->failure_type));
         ND_PRINT((ndo, "\n\tLocation-ID "));
         for (idx = 0; idx < sizeof(oam_ptr.oam_fm_ais_rdi->failure_location); idx++) {
@@ -537,6 +540,7 @@ oam_print (netdissect_options *ndo,
     }
 
     /* crc10 checksum verification */
+    ND_TCHECK2(*(p + OAM_CELLTYPE_FUNCTYPE_LEN + OAM_FUNCTION_SPECIFIC_LEN), 2);
     cksum = EXTRACT_16BITS(p + OAM_CELLTYPE_FUNCTYPE_LEN + OAM_FUNCTION_SPECIFIC_LEN)
         & OAM_CRC10_MASK;
     cksum_shouldbe = verify_crc10_cksum(0, p, OAM_PAYLOAD_LEN);
@@ -545,5 +549,9 @@ oam_print (netdissect_options *ndo,
            cksum,
            cksum_shouldbe == 0 ? "" : "in"));
 
-    return 1;
+    return;
+
+trunc:
+    ND_PRINT((ndo, "[|oam]"));
+    return;
 }
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 99c40a46fb8a6bd41875218f0c4ba4378c5b5f11..9ec01426ee3702de068fbf36577f0c0b9c2ee1f5 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -384,3 +384,4 @@ geonet-mac-lookup-heapoverflow      geonet-mac-lookup-heapoverflow.pcap     geonet-mac-lo
 radiotap-heapoverflow  radiotap-heapoverflow.pcap      radiotap-heapoverflow.out -t -v -n
 isoclns-heapoverflow   isoclns-heapoverflow.pcap       isoclns-heapoverflow.out        -t -v -n
 tcp-auth-heapoverflow  tcp-auth-heapoverflow.pcap      tcp-auth-heapoverflow.out       -t -v -n
+atm-oam-heapoverflow   atm-oam-heapoverflow.pcap       atm-oam-heapoverflow.out        -t -v -n
diff --git a/tests/atm-oam-heapoverflow.out b/tests/atm-oam-heapoverflow.out
new file mode 100644 (file)
index 0000000..cdcb8ce
--- /dev/null
+++ b/tests/atm-oam-heapoverflow.out
@@ -0,0 +1 @@
+[|oam]
diff --git a/tests/atm-oam-heapoverflow.pcap b/tests/atm-oam-heapoverflow.pcap
new file mode 100644 (file)
index 0000000..2d48ebd
Binary files /dev/null and b/tests/atm-oam-heapoverflow.pcap differ
[mirror] the TCPdump network dissector