(for 4.9.3) CVE-2018-14467/BGP: Fix BGP_CAPCODE_MP.

Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-bgp.c b/print-bgp.c
index 1438915a42cadc0d1cd159841647f3abfa0b8841..71bb5a76e259b0b2b2bdc4fdbc3439a524762190 100644 (file)
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -2342,6 +2342,8 @@ bgp_capabilities_print(netdissect_options *ndo,
                 ND_TCHECK2(opt[i+2], cap_len);
                 switch (cap_type) {
                 case BGP_CAPCODE_MP:
+                    /* AFI (16 bits), Reserved (8 bits), SAFI (8 bits) */
+                    ND_TCHECK_8BITS(opt + i + 5);
                     ND_PRINT((ndo, "\n\t\tAFI %s (%u), SAFI %s (%u)",
                            tok2str(af_values, "Unknown",
                                       EXTRACT_16BITS(opt+i+2)),

diff --git a/tests/TESTLIST b/tests/TESTLIST
index b77c01c8f5975f3fd0b61631cb95f61e6f402b94..1ebdcda094da66a1de2a7996f97ebd6d202df363 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -558,6 +558,7 @@ icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v
 rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
 vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
 bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
+bgp-bgp_capabilities_print-oobr-2 bgp-bgp_capabilities_print-oobr-2.pcap bgp-bgp_capabilities_print-oobr-2.out -v -c1
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr   hncp_dhcpv6data-oobr.pcap       hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr   hncp_dhcpv4data-oobr.pcap       hncp_dhcpv4data-oobr.out -v -c1

diff --git a/tests/bgp-bgp_capabilities_print-oobr-2.out b/tests/bgp-bgp_capabilities_print-oobr-2.out
new file mode 100644 (file)
index 0000000..21de6f9
--- /dev/null
+++ b/tests/bgp-bgp_capabilities_print-oobr-2.out
@@ -0,0 +1,26 @@
+IP (tos 0x1f,CE, ttl 254, id 38671, offset 0, flags [+, DF, rsvd], proto TCP (6), length 4135, bad cksum 200 (->1fdd)!)
+    226.219.0.0.179 > 16.233.34.0.100: Flags [SPUE], seq 347537408:347541483, win 511, urg 65535, options [eol], length 4075: BGP [|BGP]
+       Open Message (1), length: 59
+         Version 255, my AS 65528, Holdtime 4324s, ID 144.8.32.4
+         Optional parameters, length: 29
+           Option Unknown (0), length: 0
+             no decoder for option 0
+           Option Capabilities Advertisement (2), length: 8
+             Graceful Restart (64), length: 0
+               Restart Flags: [none], Restart Time 0s
+             Unknown (0), length: 0
+               no decoder for Capability 0
+             32-Bit AS Number (65), length: 4
+                4 Byte AS 2
+           Option Unknown (0), length: 2
+             no decoder for option 0
+           Option Capabilities Advertisement (2), length: 2
+             Unknown (232), length: 3
+               no decoder for Capability 232
+               0x0000:  0207 04
+           Option Capabilities Advertisement (2), length: 7
+             Multiple Routes to a Destination (4), length: 0
+               no decoder for Capability 4
+             Unknown (8), length: 0
+               no decoder for Capability 8
+             Multiprotocol Extensions (1), length: 0[|BGP]

diff --git a/tests/bgp-bgp_capabilities_print-oobr-2.pcap b/tests/bgp-bgp_capabilities_print-oobr-2.pcap
new file mode 100644 (file)
index 0000000..5c2e1d2
Binary files /dev/null and b/tests/bgp-bgp_capabilities_print-oobr-2.pcap differ