]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1bf91b1)
CVE-2017-11108/Fix bounds checking for STP.
authorGuy Harris <[email protected]>
Fri, 3 Feb 2017 23:34:18 +0000 (15:34 -0800)
committerDenis Ovsienko <[email protected]>
Sat, 22 Jul 2017 22:57:42 +0000 (23:57 +0100)
Check whether the flags are in the captured data before printing them in
an MSTP BPDU.

Check whether V4 length is in the captured data before fetching it.
This fixes a vulnerability discovered by Kamil Frankowicz.

Include a test for the "check whether the V4 length is..." fix, using
the capture supplied by Kamil Frankowicz.

print-stp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/stp-v4-length-sigsegv.out [new file with mode: 0644] patch | blob
tests/stp-v4-length-sigsegv.pcap [new file with mode: 0644] patch | blob

diff --git a/print-stp.c b/print-stp.c
index 2f5c9175acf5340f9cf3155c98987809f820488e..ee0627ca88be908b2428209c17bf53b38edd08fc 100644 (file)
--- a/print-stp.c
+++ b/print-stp.c
@@ -256,6 +256,7 @@ stp_print_mstp_bpdu(netdissect_options *ndo, const struct stp_bpdu_ *stp_bpdu,
         return 1;
     }
 
+    ND_TCHECK(stp_bpdu->flags);
     ND_PRINT((ndo, "\n\tport-role %s, ",
            tok2str(rstp_obj_port_role_values, "Unknown",
                    RSTP_EXTRACT_PORT_ROLE(stp_bpdu->flags))));
@@ -475,6 +476,7 @@ stp_print(netdissect_options *ndo, const u_char *p, u_int length)
             if (stp_bpdu->protocol_version == STP_PROTO_SPB)
             {
               /* Validate v4 length */
+              ND_TCHECK_16BITS(p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
               spb_len = EXTRACT_16BITS (p + MST_BPDU_VER3_LEN_OFFSET + mstp_len);
               spb_len += 2;
               if (length < (sizeof(struct stp_bpdu_) + mstp_len + spb_len) ||
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 52075c655a1970175f48614c4f9ee6c79e72f998..74acd65593af92ce3beb69d42ef408cd123bb5d8 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -438,6 +438,7 @@ snmp-heapoverflow-1 snmp-heapoverflow-1.pcap        snmp-heapoverflow-1.out
 snmp-heapoverflow-2    snmp-heapoverflow-2.pcap        snmp-heapoverflow-2.out
 isoclns-heapoverflow-2 isoclns-heapoverflow-2.pcap     isoclns-heapoverflow-2.out      -e -c1
 isoclns-heapoverflow-3 isoclns-heapoverflow-3.pcap     isoclns-heapoverflow-3.out      -e -c1
+stp-v4-length-sigsegv  stp-v4-length-sigsegv.pcap      stp-v4-length-sigsegv.out
 
 # RTP tests
 # fuzzed pcap
diff --git a/tests/stp-v4-length-sigsegv.out b/tests/stp-v4-length-sigsegv.out
new file mode 100644 (file)
index 0000000..8519243
--- /dev/null
+++ b/tests/stp-v4-length-sigsegv.out
@@ -0,0 +1 @@
+STP 802.1aq, Rapid STP, CIST Flags [Learn, Forward], length 808464415[|stp 808464415]
diff --git a/tests/stp-v4-length-sigsegv.pcap b/tests/stp-v4-length-sigsegv.pcap
new file mode 100644 (file)
index 0000000..b6ae2ac
Binary files /dev/null and b/tests/stp-v4-length-sigsegv.pcap differ
[mirror] the TCPdump network dissector