(for 4.9.3) CVE-2018-14880/OSPFv3: Fix a bounds check

Need to test bounds check for the last field of the structure lsa6_hdr.
No need to test other fields.

Include Security working under the Mozilla SOS program had independently
identified this vulnerability in 2018 by means of code audit.

Wang Junjie of 360 ESG Codesafe Team had independently identified this
vulnerability in 2018 by means of fuzzing and provided the packet capture
file for the test.

diff --git a/print-ospf6.c b/print-ospf6.c
index a5ac3051708978a39ef9c0dc69908939739b927c..66ab2f75ff046ec273e8d3faca5daffc9ed9940d 100644 (file)
--- a/print-ospf6.c
+++ b/print-ospf6.c
@@ -389,8 +389,7 @@ ospf6_print_lshdr(netdissect_options *ndo,
 {
        if ((const u_char *)(lshp + 1) > dataend)
                goto trunc;
-       ND_TCHECK(lshp->ls_type);
-       ND_TCHECK(lshp->ls_seq);
+       ND_TCHECK(lshp->ls_length);     /* last field of struct lsa6_hdr */
 
        ND_PRINT((ndo, "\n\t  Advertising Router %s, seq 0x%08x, age %us, length %u",
                ipaddr_string(ndo, &lshp->ls_router),

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 6ea71af1b4b2d49150b607da81b689f8920b7760..a0bdabc39d09b1f29c8899d7a386c30d84c00699 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -596,6 +596,9 @@ icmp6_nodeinfo_oobr icmp6_nodeinfo_oobr.pcap        icmp6_nodeinfo_oobr.out
 rx_ubik-oobr           rx_ubik-oobr.pcap               rx_ubik-oobr.out -c1
 babel_update_oobr      babel_update_oobr.pcap  babel_update_oobr.out   -c 52
 
+# bad packets from Junjie Wang
+ospf6_print_lshdr-oobr ospf6_print_lshdr-oobr.pcapng   ospf6_print_lshdr-oobr.out      -vv -c15
+
 # RTP tests
 # fuzzed pcap
 rtp-seg-fault-1  rtp-seg-fault-1.pcap  rtp-seg-fault-1.out  -v -T rtp

diff --git a/tests/ospf6_print_lshdr-oobr.out b/tests/ospf6_print_lshdr-oobr.out
new file mode 100644 (file)
index 0000000..71adf6b
--- /dev/null
+++ b/tests/ospf6_print_lshdr-oobr.out
@@ -0,0 +1,59 @@
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::1 > ff02::5: OSPFv3, Hello, length 36
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 36) fe80::2 > ff02::5: OSPFv3, Hello, length 36
+       Router-ID 2.2.2.2, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Neighbor List:
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 40) fe80::1 > ff02::5: OSPFv3, Hello, length 40
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router]
+         Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.5, Priority 1
+         Designated Router 1.1.1.1
+         Neighbor List: [|ospf3]
+IP6 (class 0xe0, flowlabel 0x00100, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+       Router-ID 2.2.2.2, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x00001d46
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [Init, More, Master], MTU 1500, DD-Sequence 0x0000242c
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 168) fe80::1 > fe80::2: OSPFv3, Database Description, length 168
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [More], MTU 1500, DD-Sequence 0x00001d46 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 148) fe80::2 > fe80::1: OSPFv3, Database Description, length 148
+       Router-ID 2.2.2.2, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [More, Master], MTU 1500, DD-Sequence 0x00001d47 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::1 > fe80::2: OSPFv3, Database Description, length 28
+       Router-ID 1.1.1.1, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [none], MTU 1500, DD-Sequence 0x00001d47
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 100) fe80::2 > fe80::1: OSPFv3, LS-Request, length 100
+       Router-ID 2.2.2.2, Area 0.0.0.1
+         Advertising Router 1.1.1.1
+           Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 88) fe80::1 > fe80::2: OSPFv3, LS-Request, length 88
+       Router-ID 1.1.1.1, Area 0.0.0.1
+         Advertising Router 2.2.2.2
+           Router LSA (1), Area Local Scope, LSA-ID 0.0.0.0 [|ospf3]
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 28) fe80::2 > fe80::1: OSPFv3, Database Description, length 28
+       Router-ID 2.2.2.2, Area 0.0.0.1
+       Options [V6, External, Router], DD Flags [Master], MTU 1500, DD-Sequence 0x00001d48
+IP6 (class 0xe0, hlim 1, next-header OSPF (89) payload length: 288) fe80::1 > fe80:0:ff:ffff:f000::2: OSPFv3, LS-Update, length 288
+       Router-ID 1.1.1.1, Area 0.0.0.1 [|ospf3]

diff --git a/tests/ospf6_print_lshdr-oobr.pcapng b/tests/ospf6_print_lshdr-oobr.pcapng
new file mode 100644 (file)
index 0000000..9f96af6
Binary files /dev/null and b/tests/ospf6_print_lshdr-oobr.pcapng differ