]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3998839)
CVE-2016-7932/Add some bounds checking.
authorGuy Harris <[email protected]>
Fri, 3 Jul 2015 19:31:50 +0000 (12:31 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:35 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-pim.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/heapoverflow-in_checksum.out [new file with mode: 0644] patch | blob
tests/heapoverflow-in_checksum.pcap [new file with mode: 0644] patch | blob

diff --git a/print-pim.c b/print-pim.c
index 5ec9c0f78af20ea0032ead9267076bea97d8cbfa..092c41fe196397ff2759ddb57dc5889adabd6b95 100644 (file)
--- a/print-pim.c
+++ b/print-pim.c
@@ -622,11 +622,16 @@ enum checksum_status {
 };
 
 static enum checksum_status
-pimv2_check_checksum(netdissect_options *ndo, const u_char *bp, const u_char *bp2, u_int len)
+pimv2_check_checksum(netdissect_options *ndo, const u_char *bp,
+                    const u_char *bp2, u_int len)
 {
        const struct ip *ip;
        u_int cksum;
 
+       if (!ND_TTEST2(bp[0], len)) {
+               /* We don't have all the data. */
+               return (UNVERIFIED);
+       }
        ip = (const struct ip *)bp2;
        if (IP_V(ip) == 4) {
                struct cksum_vec vec[1];
diff --git a/tests/TESTLIST b/tests/TESTLIST
index d4f4bac15dad3e0bcf60739c411e236f3573d7b6..170b1df5e66fe7af4d2c9d7c2ae8559aade1b45a 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -375,3 +375,4 @@ heapoverflow-EXTRACT_16BITS heapoverflow-EXTRACT_16BITS.pcap        heapoverflow-EXTRAC
 heapoverflow-ppp_hdlc_if_print heapoverflow-ppp_hdlc_if_print.pcap     heapoverflow-ppp_hdlc_if_print.out      -t -v -n
 heapoverflow-sl_if_print       heapoverflow-sl_if_print.pcap   heapoverflow-sl_if_print.out    -t -v -n
 heapoverflow-ip_print_demux    heapoverflow-ip_print_demux.pcap        heapoverflow-ip_print_demux.out -t -v -n
+heapoverflow-in_checksum       heapoverflow-in_checksum.pcap   heapoverflow-in_checksum.out    -t -v -n
diff --git a/tests/heapoverflow-in_checksum.out b/tests/heapoverflow-in_checksum.out
new file mode 100644 (file)
index 0000000..fffc692
--- /dev/null
+++ b/tests/heapoverflow-in_checksum.out
@@ -0,0 +1,3 @@
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [DF], proto PIM (103), length 12336, bad cksum 3030 (->2947)!)
+    48.48.48.48 > 48.48.48.48: PIMv2, length 12316
+       Hello, RFC2117-encoding, cksum 0x3030 (unverified)[|pim]
diff --git a/tests/heapoverflow-in_checksum.pcap b/tests/heapoverflow-in_checksum.pcap
new file mode 100644 (file)
index 0000000..82a5500
Binary files /dev/null and b/tests/heapoverflow-in_checksum.pcap differ
[mirror] the TCPdump network dissector