]> The Tcpdump Group git mirrors - tcpdump/commitdiff
CVE-2017-13054/LLDP: add a missing length check
authorDenis Ovsienko <[email protected]>
Wed, 9 Aug 2017 23:01:55 +0000 (00:01 +0100)
committerDenis Ovsienko <[email protected]>
Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
In lldp_private_8023_print() the case block for subtype 4 (Maximum Frame
Size TLV, IEEE 802.3bc-2009 Section 79.3.4) did not include the length
check and could over-read the input buffer, put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

print-lldp.c
tests/TESTLIST
tests/lldp_8023_mtu-oobr.out [new file with mode: 0644]
tests/lldp_8023_mtu-oobr.pcap [new file with mode: 0644]

index add7e6a5f94133645ac7b880dbe80e69f8ff7b25..e87b16bd0fcc16444599148d7e4f029298a0be30 100644 (file)
@@ -898,6 +898,9 @@ lldp_private_8023_print(netdissect_options *ndo,
         break;
 
     case LLDP_PRIVATE_8023_SUBTYPE_MTU:
+        if (tlv_len < 6) {
+            return hexdump;
+        }
         ND_PRINT((ndo, "\n\t    MTU size %u", EXTRACT_16BITS(tptr + 4)));
         break;
 
index a3e038b3fc85cada62543acdc09840a4bb939045..eb0839e0c01fc6073f7d6ae6ae223be42c7c3b9d 100644 (file)
@@ -571,6 +571,7 @@ rsvp_uni-oobr-1     rsvp_uni-oobr-1.pcap    rsvp_uni-oobr-1.out     -v -c1
 rsvp_uni-oobr-2        rsvp_uni-oobr-2.pcap    rsvp_uni-oobr-2.out     -v -c1
 rsvp_uni-oobr-3        rsvp_uni-oobr-3.pcap    rsvp_uni-oobr-3.out     -v -c3
 rpki-rtr-oob           rpki-rtr-oob.pcap       rpki-rtr-oob.out        -v -c1
+lldp_8023_mtu-oobr     lldp_8023_mtu-oobr.pcap lldp_8023_mtu-oobr.out  -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out
diff --git a/tests/lldp_8023_mtu-oobr.out b/tests/lldp_8023_mtu-oobr.out
new file mode 100644 (file)
index 0000000..5185583
--- /dev/null
@@ -0,0 +1,4 @@
+LLDP, length 4293194266
+       Organization specific TLV (127), length 4: OUI IEEE 802.3 Private (0x00120f)
+         Max frame size Subtype (4)
+       [|LLDP]
diff --git a/tests/lldp_8023_mtu-oobr.pcap b/tests/lldp_8023_mtu-oobr.pcap
new file mode 100644 (file)
index 0000000..dc6d3df
Binary files /dev/null and b/tests/lldp_8023_mtu-oobr.pcap differ