]> The Tcpdump Group git mirrors - tcpdump/commitdiff
projects / tcpdump / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d9dbb11)
CVE-2016-7975/Make sure we have the data offset field before fetching it.
authorGuy Harris <[email protected]>
Fri, 3 Jul 2015 23:47:12 +0000 (16:47 -0700)
committerFrancois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:36 +0000 (09:16 +0100)
Fixes a heap overflow found with American Fuzzy Lop by Hanno Böck.

print-tcp.c patch | blob | history
tests/TESTLIST patch | blob | history
tests/tcp_header_heapoverflow.out [new file with mode: 0644] patch | blob
tests/tcp_header_heapoverflow.pcap [new file with mode: 0644] patch | blob

diff --git a/print-tcp.c b/print-tcp.c
index 3a89e8d3cb77253c3343fc6ee9bf54c8bdcf0ef5..f00ff32514802bebf9dd4ad8df20b300ffeb873a 100644 (file)
--- a/print-tcp.c
+++ b/print-tcp.c
@@ -189,8 +189,6 @@ tcp_print(netdissect_options *ndo,
         sport = EXTRACT_16BITS(&tp->th_sport);
         dport = EXTRACT_16BITS(&tp->th_dport);
 
-        hlen = TH_OFF(tp) * 4;
-
         if (ip6) {
                 if (ip6->ip6_nxt == IPPROTO_TCP) {
                         ND_PRINT((ndo, "%s.%s > %s.%s: ",
@@ -215,14 +213,16 @@ tcp_print(netdissect_options *ndo,
                 }
         }
 
+        ND_TCHECK(*tp);
+
+        hlen = TH_OFF(tp) * 4;
+
         if (hlen < sizeof(*tp)) {
                 ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]",
                              length - hlen, hlen, (unsigned long)sizeof(*tp)));
                 return;
         }
 
-        ND_TCHECK(*tp);
-
         seq = EXTRACT_32BITS(&tp->th_seq);
         ack = EXTRACT_32BITS(&tp->th_ack);
         win = EXTRACT_16BITS(&tp->th_win);
diff --git a/tests/TESTLIST b/tests/TESTLIST
index 9ec01426ee3702de068fbf36577f0c0b9c2ee1f5..15c5010446b3f0775136894ea00db2c322a26c9d 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -385,3 +385,4 @@ radiotap-heapoverflow       radiotap-heapoverflow.pcap      radiotap-heapoverflow.out -t -v
 isoclns-heapoverflow   isoclns-heapoverflow.pcap       isoclns-heapoverflow.out        -t -v -n
 tcp-auth-heapoverflow  tcp-auth-heapoverflow.pcap      tcp-auth-heapoverflow.out       -t -v -n
 atm-oam-heapoverflow   atm-oam-heapoverflow.pcap       atm-oam-heapoverflow.out        -t -v -n
+tcp_header_heapoverflow        tcp_header_heapoverflow.pcap    tcp_header_heapoverflow.out     -t -v -n
diff --git a/tests/tcp_header_heapoverflow.out b/tests/tcp_header_heapoverflow.out
new file mode 100644 (file)
index 0000000..0f830ab
--- /dev/null
+++ b/tests/tcp_header_heapoverflow.out
@@ -0,0 +1,2 @@
+IP (tos 0x30, ttl 48, id 12336, offset 0, flags [none], proto TCP (6), length 12336, bad cksum 3030 (->69a8)!)
+    48.48.48.48.12336 > 48.48.48.48.12336: [|tcp]
diff --git a/tests/tcp_header_heapoverflow.pcap b/tests/tcp_header_heapoverflow.pcap
new file mode 100644 (file)
index 0000000..5471996
Binary files /dev/null and b/tests/tcp_header_heapoverflow.pcap differ
[mirror] the TCPdump network dissector